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Abstract 


CERT !<  Resilience  Management  Model  (CERT  -RMM)  provides  a  reference  model  that  allows 
organizations  to  make  sense  of  their  practice  deployment  in  a  process  context.  In  this  context,  the 
primary  goal  of  this  document  is  to  help  model  users  and  adopters  to  understand  how  CERT- 
RMM  process  areas,  industry  standards,  and  codes  of  practices  that  are  used  by  organizations  in 
an  operational  setting  are  connected.  Additionally,  this  document  helps  to  achieve  a  primary  goal 
of  CERT-RMM,  which  is  to  allow  adopters  to  continue  to  use  their  preferred  standards  and  codes 
of  practice  at  a  tactical  level  while  maturing  management  and  improvement  of  operational  resili¬ 
ence  at  a  process  level.  This  document  was  also  created  with  the  objective  to  permit  organizations 
to  use  CERT-RMM  as  a  means  for  managing  the  complexities  of  deploying  more  than  one  stand¬ 
ard  or  code  of  practice. 
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1  Introduction 


This  document  is  a  supplement  to  the  CERT®  Resilience  Management  Model  (CERT®-RMM) 
v  1.1.  It  is  primarily  intended  to  help  model  users  and  adopters  understand  the  connection  between 
CERT-RMM  process  areas,  industry  standards,  and  codes  of  practice  that  are  commonly  used  by 
organizations  in  an  operational  setting. 

This  document  helps  to  achieve  a  primary  goal  of  CERT-RMM,  which  is  to  allow  adopters  to 
continue  to  use  their  preferred  standards  and  codes  of  practice  at  a  tactical  level  while  maturing 
management  and  improvement  of  operational  resilience  at  a  process  level.  This  document  pro¬ 
vides  a  reference  for  model  adopters  to  detennine  how  their  current  deployment  of  practices  sup¬ 
ports  their  desired  level  of  process  maturity  and  improvement. 

Another  important  objective  of  this  document  is  to  permit  organizations  to  use  CERT-RMM  as  a 
means  for  managing  the  complexities  of  deploying  more  than  one  standard  or  code  of  practice. 
CERT-RMM  provides  a  reference  model  that  allows  organizations  to  make  sense  of  their  practice 
deployment  in  a  process  context.  Thus,  issues  such  as  practice  overlap  and  redundancy  or  the  as¬ 
sociation  of  a  practice  to  more  than  one  process  can  be  identified  and  considered  to  improve  pro¬ 
cesses,  reduce  practice  “quagmires,”  and  improve  effectiveness  relative  to  cost.  In  essence, 
CERT-RMM  can  provide  organizations  a  guide  for  determining  the  best  practices  and  selectively 
choosing  them  based  on  process  improvement  goals. 

1.1  Model  Description 

The  CERT-RMM  vl.l  is  a  capability  maturity  model  for  managing  operational  resilience.  It  has 
two  primary  objectives: 

•  Establish  the  convergence  of  operational  risk  and  resilience  management  activities  (security 
planning  and  management,  business  continuity,  and  IT  operations  and  service  delivery)  into 
a  single  model. 

•  Apply  a  process  improvement  approach  to  operational  resilience  management  by  defining 
and  applying  a  capability  scale  that  expresses  increasing  levels  of  process  maturity. 

1 .1 .1  Features  and  Benefits  of  CERT-RMM 

CERT-RMM  has  the  following  features: 

•  provides  a  process  definition,  expressed  in  26  process  areas  across  four  categories — 
enterprise  management,  engineering,  operations,  and  process  management 

•  focuses  on  the  resilience  of  four  essential  operational  assets:  people,  information,  technolo¬ 
gy,  and  facilities 

•  includes  processes  and  practices  that  define  a  scale  of  four  capability  levels  for  each  process 
area:  incomplete,  performed,  managed,  and  defined 


CERT,  CERT  Resilience  Management  Model,  and  CERT-RMM  are  registered  in  the  U.S.  Patent  and  Trade¬ 
mark  Office  by  Carnegie  Mellon  University. 
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•  serves  as  a  meta-model  that  easily  coexists  with  and  references  common  codes  of  practice 
such  as  IS02700x,  CobiT,  BS25999,  and  IS024762 

•  includes  quantitative  process  measurements  that  can  be  used  to  ensure  operational  resilience 
processes  are  performing  as  intended 

•  facilitates  an  objective  measurement  of  capability  levels  via  a  structured  and  repeatable  ap¬ 
praisal  methodology 

•  extends  the  process  improvement  and  maturity  pedigree  of  CMMI  to  assurance,  security,  and 
service  continuity  activities 

A  copy  of  the  current  version  of  the  CERT  Resilience  Management  Model  can  be  obtained  at 
http://www.cert.org/resilience. 

1.2  Relating  CERT-RMM  to  Standards  and  Codes  of  Practice 

CERT-RMM  has  several  key  components.  The  “process  area”  forms  the  major  structural  element 
in  the  model.  Each  process  area  has  a  series  of  descriptive  components. 

There  are  two  types  of  practices  referred  to  in  CERT-RMM:  specific  practices  and  subpractices.  It 
is  important  to  understand  the  distinction  between  these  types  of  practices  and  the  practices  con¬ 
tained  in  common  codes  of  practice  in  order  to  make  use  of  this  document. 

1.2.1  Process  Area 

CERT-RMM  is  comprised  of  26  process  areas.  Each  process  area  describes  a  functional  area  of 
competency.  In  aggregate,  these  26  process  areas  define  the  operational  resilience  management 
system. 

1 .2.2  Process  Area  -  Process  Area  Goals 

Each  process  area  has  a  set  of  goals.  Goals  are  required  elements  of  the  process  area  and  define 
the  accomplishment  targets  of  the  process  that  are  reflected  by  the  process  area.  An  example  of  a 
goal  from  the  Service  Continuity  process  area  is  “SC:SG1  Prepare  for  Service  Continuity.” 

1 .2.3  Process  Area  Goals  -  Specific  Practices 

The  process  area  goals  are  decomposed  into  specific  practices.  Specific  practices  are  expected 
elements  of  the  process  area  that,  when  achieved,  should  promote  accomplishment  of  the  associ¬ 
ated  goal.  Specific  practices  are  considered  to  be  the  “base  practices”  of  the  process  area  that  re¬ 
flect  the  area’s  body  of  knowledge.  An  example  of  a  specific  practice  from  the  Service  Continuity 
process  area  is  “SC:SG1.SP1  Plan  for  Service  Continuity,”  which  is  a  practice  aimed  at  the 
achievement  of  goal  “SC:SG1  Prepare  for  Service  Continuity.” 

1.2.4  Specific  Practices  -  Subpractices 

Specific  practices  are  decomposed  into  subpractices.  Subpractices  are  informative  elements  asso¬ 
ciated  with  each  specific  practice  and  relevant  process  work  products.  Subpractices  are  a  transi¬ 
tion  point  for  process  area  specific  practices  because  the  focus  changes  at  this  point  from  “what” 
must  be  done  to  “how.”  While  not  overly  prescriptive  or  detailed,  subpractices  help  the  user  to 
determine  how  to  satisfy  the  specific  practices  and  achieve  the  goals  of  the  process  area.  Each 
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organization  will  have  its  own  subpractices  either  organically  developed  by  the  organization  or 
acquired  from  a  code  of  practice. 

1.2.5  Subpractices  -  Standards  and  Common  Codes  of  Practice 

Subpractices  can  be  linked  to  standards  and  codes  of  practice. 1  Subpractices  are  typically  generic 
in  nature,  while  codes  of  practice  can  be  very  specific.  For  example,  a  subpractice  may  suggest 
“set  password  standards  and  guidelines”  while  a  specific  code  of  practice  may  state  that  “pass¬ 
words  should  be  changed  at  90-day  intervals.” 


Standards  and  codes  of  practice  are  not  universally  written  at  the  implementation  level.  Thus,  some  standards 
and  codes  of  practice  may  include  elements  of  goals,  specific  practices,  and  subpractices.  However,  generally 
standards  and  codes  of  practice  provide  implementation  details  that  can  be  used  to  actualize  CERT-RMM  goals 
and  specific  practices,  and  therefore  are  considered  to  be  comparable  to  subpractices  in  the  CERT-RMM  mod¬ 
el. 
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2  Standards  and  Codes  of  Practice 


This  section  details  the  standards  and  codes  of  practice  that  have  been  referenced  in  this  docu¬ 
ment.  These  standards  and  codes  are  typically  in  the  public  domain  but  may  have  usage  and  li¬ 
cense  restrictions.  For  ease  of  use,  practices  have  been  referenced  by  their  original  numbers,  but 
there  is  no  restatement  of  the  practice  included.  Information  on  obtaining  copies  of  each  code  of 
practice  is  included  in  this  section,  as  each  copyright  owner  (or  licensor)  is  the  authoritative 
source  for  the  respective  standard  or  code  of  practice.2 

2.1  ANSI/ASIS  SPC. 1-2009 

The  ANSI/ASIS  SPC.  1-2009  is  the  American  National  Standard  on  Organizational  Resilience: 
Security,  Preparedness,  and  Continuity  Management  Systems  -  Requirements  with  Guidance  for 
Use  [ANSI  2009].  The  document  is  published  by  ASIS  International  and  approved  by  the  Ameri¬ 
can  National  Standards  Institute,  Inc.  The  standard  is  designed  as  an  organizational  resource  to 
foster  preparedness  in  anticipation  of  disruptive  incidents.  The  standard  presents  guidelines  on  its 
interpretation  of  organizational  resilience  management. 

The  ANSI/ASIS  SPC.  1-2009  can  be  obtained  in  PDF  from  ASIS  online  at 
http://www.asisonline.org/guidelines/ASIS_SPC.l-2009_Item_No._1842.pdf. 

2.2  BS  25999 

BS  25999  is  the  British  Standards  Institution’s  (BSI)  code  of  practice  and  specification  for  busi¬ 
ness  continuity  management.  The  purpose  of  the  standard  is  to  provide  a  basis  for  understanding, 
developing,  and  implementing  business  continuity  within  an  organization  and  to  provide  confi¬ 
dence  in  the  organization’s  dealings  with  customers  and  other  organizations. 

There  are  two  BS  25999  documents:  the  code  of  practice,  BS  25999-1:2006  [BSI  2006],  and  the 
specification,  BS  25999-2:  2007  [BSI  2007],  The  code  of  practice  was  used  for  the  crosswalk  in 
this  document. 

British  Standards  can  be  obtained  in  PDF  or  hard  copy  format  from  the  BSI  online  shop  at 
http://www.bsigroup.com/Shop.  Hard  copies  can  also  be  obtained  by  contacting  BSI  Customer 
Services  at  +44  (0)20  8996  9001  or  cservices@bsigroup.com. 

2.3  COBIT  4.1 

COBIT  is  the  Control  Objectives  for  Information  and  Related  Technology  [ITGI  2007].  It  was 
developed  by  the  Information  Systems  Audit  and  Control  Association  (ISACA)  and  the  IT  Gov¬ 
ernance  Institute  (ITGI)  to  provide  managers,  auditors,  and  IT  users  with  generally  accepted  in- 


The  copyright  owners  of  the  codes  of  practice  have  not  participated  in  the  creation  or  review  of  CERT  RMM  or 
this  Code  of  Practice  Crosswalk.  Accordingly,  the  inclusion  of  a  particular  standard  or  code  of  practice  in  this 
Code  of  Practice  Crosswalk  is  not  an  endorsement  or  validation  of  the  Software  Engineering  Institute,  CERT 
RMM  or  this  Code  of  Practice  Crosswalk  by  such  copyright  owner,  and  all  references  to  such  codes  of  practice 
should  be  read  as  qualified  by  the  actual  codes  of  practice. 
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formation  technology  control  objectives  to  maximize  IT  benefits  and  ensure  appropriate  IT  gov¬ 
ernance,  security,  and  control. 

COBIT  4.1  is  the  current  version  and  was  used  in  this  crosswalk  document.  Further  information 
regarding  the  implementation  of  COBIT  4.1,  including  copies  of  the  current  version,  can  be  ob¬ 
tained  by  visiting  http://www.isaca.org  and  http://www.itgi.org. 

2.4  CMMI 

Capability  Maturity  Model  '  Integration  (CMMI®)3  is  a  process  improvement  maturity  model  for 
the  development  of  products  and  services.  The  CMMI  for  Development  (CMMI -DEV)  represents 
the  systems  and  software  development  domain  [CMMI  2006].  The  CMMI  for  Services  (CMMI- 
SVC)  constellation  is  designed  to  cover  the  activities  required  to  manage,  establish,  and  deliver 
services  [CMMI  2009]. 

CMMI  for  Development  vl.2  is  used  in  this  document  and  is  referenced  as  CMMI-DEV.  It  can  be 
obtained  at  http://www.sei.cmu.edu/library/abstracts/reports/06tr008.cfm.  CMMI  for  Services 
vl.2  is  used  in  this  document  and  can  be  obtained  at 

http://www.sei.cmu.edu/library/abstracts/reports/09tr001.cfm.  It  is  referenced  as  CMMI-SVC 
throughout  this  document. 

2.5  FFIEC  Business  Continuity  Planning  Handbook 

The  Federal  Financial  Institutions  Examination  Council  (FFIEC)  publishes  a  series  of  booklets 
that  comprise  the  FFIEC  Information  Technology  Examination  Handbook.  These  booklets  are 
published  to  help  bank  examiners  to  evaluate  financial  institutions  and  service  provider  risk  man¬ 
agement  processes  with  the  goal  of  ensuring  the  availability  of  critical  financial  services. 

The  FFIEC  Business  Continuity  Planning  booklet  [FFIEC  2008]  was  used  for  reference  in  this 
code  of  practice  crosswalk.  In  the  future,  the  FFIEC  Information  Security  booklet  will  be  refer¬ 
enced  as  well.  FFIEC  booklets  can  be  obtained  at 
http://www.ffiec.gov/ffiecinfobase/html  _pages/it_0 1  .html. 

2.6  ISO/IEC  20000-2:2005  (E) 

ISO/IEC  20000  is  a  standard  and  code  of  practice  for  IT  service  management  published  by  the 
International  Organization  for  Standardization  and  the  International  Electrotechnical  Commission 
(ISO/IEC).  It  is  based  on  (and  supersedes)  the  earlier  British  Standard  BS  15000.  It  reflects  the 
best  practice  guidance  for  IT  service  management  as  provided  in  the  ITIL  (Information  Technolo¬ 
gy  Infrastructure  Library)  framework,  but  also  broadly  covers  other  service  management  stand¬ 
ards. 

The  ISO/IEC  20000-2:2005  code  of  practice  [ISO/IEC  2005a]  was  used  in  this  crosswalk  docu¬ 
ment.  The  standard  ISO/IEC  20000-1:2005  and  the  code  of  practice  ISO/IEC  20000-2:2005  can 
be  purchased  from  ANSI  at  http://webstore.ansi.org/. 


Capability  Maturity  Model  and  CMMI  are  registered  in  the  U.S.  Patent  and  Trademark  Office  by  Carnegie 
Mellon  University. 
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2.7  ISO/IEC  24762:2008  (E) 


ISO/IEC  24762,  “Guidelines  for  information  and  communications  technology  disaster  recovery 
services”  [ISO/IEC  2008a],  is  part  of  business  continuity  management  standards  published  by 
ISO/IEC.  It  can  be  applied  in-house  or  to  outsourced  providers  of  DR  physical  facilities  and  ser¬ 
vices. 

The  current  version  of  the  standard,  ISO/IEC  24762:2008,  can  be  purchased  from  ANSI  at 
http://webstore.ansi.org/. 

2.8  ISO/IEC  27002:2005  (E) 

ISO/IEC  27002,  “Code  of  practice  for  information  security  management”  [ISO/IEC  2005b], 
broaches  the  full  scope  of  security  management,  at  points  touching  upon  both  IT  management  and 
disaster  recovery.  ISO/IEC  27002  is  part  of  a  growing  “27000  series”  that  evolved  from  the  origi¬ 
nal  British  Standard  BS  7799,  which  was  translated  to  ISO  standard  ISO  17799. 

The  current  version  of  the  code  of  practice,  ISO/IEC  27002:2005,  can  be  purchased  from  ANSI  at 
http://webstore.ansi.org/. 

2.9  ISO/IEC  27005:2008  (E) 

ISO/IEC  27005,  “Information  technology  —  Security  techniques  —  Information  security  risk  man¬ 
agement”  [ISO/IEC  2008b],  is  also  a  British  Standard  derivation.  ISO/IEC  27005  is  based  upon 
BS  7799-3:2006.  The  standard  describes  a  risk  management  process  specific  to  information  secu¬ 
rity  and  analysis  of  that  risk. 

The  current  version  of  the  code  of  practice,  ISO/IEC  27005:2008,  can  be  purchased  from  ANSI  at 
http://webstore.ansi.org/. 

2.10  ISO/IEC  31000:2009  (E) 

ISO/IEC  31000,  “Risk  Management  -  Principles  and  Guidelines”  [ISO/IEC  2009],  is  another 
standard  published  by  ISO/IEC  and,  as  mentioned,  is  distinct  from  ISO/IEC  27005.  ISO/IEC 
31000  deviates  from  the  British  Standard  origin  of  the  preceding  standards.  ISO/IEC  is  derived 
from  the  Standards  Australia  and  Standards  New  Zealand  document:  AS/NZS  4360:2004.  This 
standard  is  a  set  of  best  practices  and  guidelines  for  the  development  of  a  risk  management 
framework.  The  framework  guidance  is  organizational  in  scope  and  focuses  on  the  management 
of  perceptible  risk  and  risk  tolerance. 

The  current  version  of  the  code  of  practice,  ISO/IEC  3 1000:2009,  can  be  purchased  from  ANSI  at 
http://webstore.ansi.org/. 

2.11  NFPA1600 

NFPA  1600  is  the  National  Fire  Protection  Agency  Standard  on  Disaster/Emergency  Management 
and  Business  Continuity  Programs  [NFPA  2007].  It  is  primarily  focused  on  the  development,  im¬ 
plementation,  and  operation  of  disaster,  emergency,  and  business  continuity  programs,  including 
the  development  of  various  types  of  related  plans.  The  2007  edition  of  this  standard  was  used  for 
reference  and  is  an  update  of  the  2004  standard. 
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The  standard  can  be  obtained  at  the  NFPA  website  at  http://www.nfpa.org. 

2.12  PCIDSS 

PCI  DSS  is  the  Payment  Card  Industry  Data  Security  Standard  that  evolved  from  security  efforts 
by  major  credit  card  organizations  [PCI  2009],  It  is  intended  to  provide  a  data  security  standard 
for  merchants  and  card  payment  service  providers  and  processors  to  prevent  fraud  and  control 
vulnerabilities.  Compliance  with  the  standard  is  validated  through  assessments  performed  by  PCI 
DSS-qualified  assessors. 

The  current  standard  version  is  1.2.1. 4  It  can  be  downloaded  at 
http://www.pcisecuritystandards.org. 


Payment  Card  Industry  (PCI)  Data  Security  Standard,  Version  1.1  (Release:  September  2006)  provided  courte¬ 
sy  of  PCI  Security  Standards  Council,  LLC  and/or  its  licensors.  ©  2007  PCI  Security  Standards  Council,  LLC. 
All  Rights  Reserved. 
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3  RMM  Crosswalk 


CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific  ansi/asis 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices  spc.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008(E) 

2009  (E) 

1600 

2009 

ADM  -  Asset  Definition  and  Management 

ADM-.SGl  Establish 

Organizational  Assets 

ADM-.SGl.SPl  Inventory 

7.7.1 

CM:SP1.1 

CM:SP1.1 

P04.13 

6.6.2 

5.3.1 

7.1.1 

8.2. 1.2 

6.1.3 

12.3.4 

Assets 

9.1.1 

5.3.2 

15.1.3 

6.1.5 

12.3.7 

Subpractices 

9.1.2 

5.3.3 

6.1.6 

1.  Identify  and  inventory 

vital  staff. 

5.5.3 

2.  Identify  and  inventory 

high-value  information 
assets. 

6.14.9 

7.14.6 

3.  Identify  and  inventory 

high-value  technology 
components. 

4.  Identify  and  inventory 

high-value  facilities. 

5.  Develop  and  maintain  an 

asset  database  that 

establishes  a  common 
source  for  all  high-value 

assets. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008(E) 

2009  (E) 

1600 

2009 

ADM-.SG1.SP2  Establish  A 

P02.1 

4.1.1 

5.5.3 

7.1.1 

1.1.9 

Common  Understanding 

P02.2 

6.6.2 

7.1.3 

3.2 

Subpractices 

7.2.1 

12.3 

1.  Create  an  asset  profile  for 

each  asset  (or  similar 

10.1.1 

work  product)  and 
document  a  common 
description. 

2.  Describe  and  document 
the  "acceptable  use"  of 
the  asset.  Ensure 
alignment  between 
acceptable  uses  and 
resilience  requirements. 

3.  Classify  information 
assets  as  to  their  level  of 
sensitivity. 

4.  Update  the  asset 
database  with  asset 
profile  information. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

ADM-SG1.SP3  Establish 

Ownership  and 

Custodianship 

7.7.2 

P04.9 

4.1.1 

4.1.4 

5.3.2 

5.3.3 

6.1.3 

7.1.1 

8.2. 1.2 

1.1.8 

12.3.8 

Subpractices 

6.6.2 

7.1.2 

l.  Document  and  describe 

the  owner  of  each  asset 
on  the  asset  profile  (or 
similar  work  product). 

11.6.2 

2.  Group  assets  that  are 

collectively  needed  to 
perform  a  specific 
business  process  or 
service,  and  identify 
service  owners,  if 
necessary. 

3.  Document  and  describe 

the  physical  location  of 
the  asset  and  the 

custodian  of  the  asset. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific  iso/iec 

Goals  and  Specific  ansi/asis  BS25999-1:  cobit  ffiec  bcp  20000-2 

Practices  SPC.l-2009  2006  CMMI-Dev  CMMI-Svc  4.1  Handbook  2005  (E) 

ADM-.SG2  Establish  the 
Relationship  Between 
Assets  and  Services 

4.1.1  5.3.1  7.1.1  7.2 

4.1.2  5.3.2  7.1.2  6.3.2 

4.1.4  11.6.2  6.3.3 

6.6.2  12.3.8 

16.5 


6.1.1  CM:SP3.1  CM:SP3.1 

7.7.1 

1.  Identify  high-value 
services. 

2.  Assign  assets  in  the  asset 
database  to  one  or  more 
services. 


ADM:SG2.SP1  Associate 
Assets  with  Services 
Subpractices 


ISO/IEC  ISO/IEC  ISO/IEC  ISO/IEC 

24762:  27002:  27005:  31000:  NFPA  PCI: 

2008  (E)  2005  (E)  2008  (E)  2009  (E)  1600  2009 


3.  Update  asset  profiles  to 
establish  and  document 
the  asset's  association  to 
a  service. 


4.  Update  the  asset 

database  with  asset-to- 
service  association 
information. 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC  ISO/IEC  ISO/I  EC  ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT  FFIEC  BCP  20000-2: 

24762:  27002:  27005:  31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006  CMMI-Dev  CMMI-Svc 

4.1  Handbook  2005(E) 

2008  (E)  2005  (E)  2008  (E)  2009  (E) 

1600 

2009 

ADM-SG2.SP2  Analyze 

6.1.1 

4.1.2 

6.14.8  7.1.2 

6.1.1 

Asset-Service  Dependencies 

7.7.1 

11.6.2 

6.1.2 

Subpractices 

l.  Identify  asset 

dependencies  and 

potential  conflicts. 

2.  Develop  mitigation  plans 

to  reduce  the  effects  of 

dependencies  that  could 

affect  the  operational 

resilience  of  associated 

services. 

3.  Implement  actions  to 

reduce  or  eliminate 

conflict. 

ADM-.SG3  Manage  Assets 

ADM-.SG3.SP1  Identify 

CM:SP1.2  CM:SP1.2 

PO10.11  4.1.2 

6.1.5 

Change  Criteria 

CM:SP1.3  CM:SP1.3 

4.1.3 

Subpractices 

CM:SP2.1  CM:SP2.1 

1.  Establish  an  asset 

inventory  baseline  from 

CM:SP2.2  CM:SP2.2 

which  changes  will  be 

managed. 

CM:SP3.1  CM:SP3.1 

2.  Develop  and  document 

criteria  for  establishing 

when  a  change  in  asset 

inventory  must  be 

considered. 

CMU/SEI-201 1-TN-012  |  12 


CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

ADM:SG3.SP2  Maintain 

Changes  to  Assets  and 

Inventory 

CM:SP3.2 

CM:SP3.2 

PO10.11 

4.1.2 

4.1.4 

7.14 

9.2.6 

6.1.5 

6.1.7 

Subpractices 

5.2 

1.  Document  the  asset 

changes  by  updating 
asset  profiles  and  the 
asset  database. 

2.  Maintain  a  requirement 

change  history  with 
rationale  for  performing 
the  changes. 

3.  Evaluate  the  impact  of 

asset  changes  on  existing 
resilience  requirements 
and  activities  and 
commitments  for 
protecting  and  sustaining 
assets. 

4.  Establish  communication 

channels  to  ensure 
custodians  are  aware  of 
changes  in  assets. 
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CERT®  Resilience 
Management  Model 
vl.l 


Commercial  Standards  and  Practices 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009  2006  CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

AM  -  Access  Management 


AM:SG1  Manage  and 
Control  Access 


AM:SG1.SP1  Enable  Access 

Subpractices 

1.  Establish  access 
management  policies  and 
procedures. 

2.  Complete  and  submit 
access  requests. 

3.  Approve  access  requests. 

4.  Provide  users  [access 
holders]  with  a  written 
statement  of  their  access 
rights  and 
responsibilities. 

5.  Implement  access 
requests. 


DS5.3 

DS5.4 

DS12.3 


Other 
Policies, 
Standards, 
and  Pro¬ 
cesses 


5.7.3 
6.3. 1-7 
6.3.12-14 

6.4.8 

6.4.9 
6.12.1 
6.12.2.2 
6.12.5.5 
7.5.1 
7.5.7 


6.1.4 

6.2.2 

9.1.1. 2 

10.1.4 

10.8.5 

10.9.1.3 
11.1.1 

11.2 

11.3.1 

11.4.1.2.3 
11.4.6,7 

11.5.1.3.4 

11.6.1 

11.7.1.2 

12.3.2 

12.4.3 

15.1.5 
15.3.2 


4.8.2  7.1 

6.4.4  7.2 

8.1 

12.5.8 
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CERT®  Resilience 
Management  Model 
vl.l 


Commercial  Standards  and  Practices 


Process  Area  Specific 

Goals  and  Specific  ansi/asis  BS25999-1: 

Practices  spc.1-2009  2006 


CMMI-Dev  CMMI-Svc 


ISO/I  EC 

COBIT  FFIEC  BCP  20000-2: 

4.1  Handbook  2005(E) 


ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC  ISO/IEC 

27005:  31000:  NFPA  PCI: 

2008(E)  2009(E)  1600  2009 

6.4.8 

6.2.2 

7.1.2 

6.4.9 

9.1.2 

7.1.3 

7.5.3 

10.8.5 

7.2.6 

7.5.4 

11.2,3 

12.5.8 

7.5.5 

11.5.4 

12.3.2 

15.3.2 

6.3.10 

6.2.2 

6.4.8 

9.1.2 

6.4.9 

11.2.4 

7.5.3 

12.3.2 

7.5.4 

15.3.2 

AM:SG1.SP2  Manage 
Changes  to  Access  Privileges 

Subpractices 

1.  Establish  an  enterprise¬ 
wide  change 

management  process  for 
access  privileges. 

2.  Establish  organizational 
criteria  that  may  signify 
changes  in  access 
privileges. 


DS5.4 

P07.8 

DS12.3 


Other 
Policies, 
Standards, 
and  Pro¬ 
cesses 


3. 


Manage  changes  to 
access  privileges. 


AM:SG1.SP3  Periodically 

Review  and  Maintain  Access 

Privileges 

Subpractices 

1.  Establish  regular  review 
cycle  and  process. 

2.  Perform  periodic  review 
of  access  privileges  by 
asset. 

3.  Identify  inconsistencies 
or  misalignments  in 
access  privileges. 


DS5.4 

DS12.3 


CMU/SEI-201 1-TN-012  |  15 


cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 


vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

AM:SG1.SP4  Correct 


P07.8 


9.1.2 


6.1 


Inconsistencies 


DS12.3 


11.2.4 


Subpractices  15.3.2 

1.  Develop  corrective 
actions  to  address 
excessive  or 
inappropriate  levels  of 
access  privileges. 

2.  Correct  access  privileges 
as  required. 

3.  Document  disposition  for 
excessive  or 
inappropriate  levels  of 
access  privileges  that  will 
not  result  in  changes  or 
deprovisioning. 

4.  Identify  risks  related  to 
excessive  or 
inappropriate  levels  of 
access  privileges. 

5.  Update  status  on 
corrective  actions. 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/IEC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

COMM  -  Communications 

COMM:SGl  Prepare  for 

Resilience  Communications 

C0MM:SG1.SP1  Identify 

Relevant  Stakeholders 

8.5.6 

IPM:SP2 

IPM:SP2 

P06.5 

Appendix 

G:  BCP 
Compo- 

5.1.4 

5.2.9 

Subpractices 

1.  Identify  relevant 
stakeholders  that  may 
have  a  vested  interest  or 

vital  role  in 

communications  about 
resilience. 

2.  Establish  a  plan  that 
describes  the 

involvement  of  all 

communications 

stakeholders. 

nents 

6.3.8 
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cert®  Resilience  Commercial  Standards  and  Practices 


Management  Model 
vl.l 


Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/IEC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

COMM:SGl.SP2  Identify 

Communications 

Requirements 

IPM:SP2 

IPM:SP2 

Other 

Policies, 
Standards, 
and  Pro¬ 
cesses 

5.8.3 

5.2.9 

6.3.1 

Subpractices 

1.  Analyze  the  resilience 

program  to  identify  the 
types  and  extent  of 

Appendix 

G:  BCP 
Compo¬ 
nents 

6.3.7 

6.11.7 

communication  that  is 
necessary  to  satisfy 
resilience  program 
objectives. 

2.  Document  the 
communications  needs  of 
stakeholders. 

3.  Establish  communications 
requirements  for  the 
operational  resilience 
management  processes. 

4.  Analyze  and  prioritize 
communication 
requirements. 

5.  Revise  the 
communication  needs  of 
the  organization  as 
changes  to  the  resilience 
program  and  strategy  are 
made. 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC. 1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/IEC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

COMM:SGl.SP3  Establish 

Communications  Guidelines 

8.5.5 

DS5.11 

IPM:SP2 

IPM:SP2 

Other 

Policies, 
Standards, 
and  Pro- 

5.8.3 

5.2.9 

6.3.3 

and  Standards 


Subpractices 

1.  Develop  resilience 
communication 
guidelines  and  standards. 


COMM:SG2  Prepare  for 

Communications 

Management 


COMM:SG2.SPl  Establish  a  4.3.2  8.5.5 

Resilience  Communications  442 

Plan 

Subpractices 

1.  Develop  and  implement  a 
resilience 

communications  plan. 

2.  Establish  commitments 
to  the  communications 
plan. 

3.  Revise  the  plan  and 
commitments  as 
necessary. 


Appendix  5  8  3 

G:  BCP 

c°mP°-  673 

nents 

6.7.6 


11 


5.2.9 

6.3.2 

6.3.7 

6.4.6 


CMU/SEI-201 1-TN-012  |  19 


CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/IEC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

COMM:SG2.SP2  Establish  a 

Resilience  Communications 

Program 

Subpractices 

1.  Establish  a  resilience 

communications 

program. 

4.4.2 

P06.5 

Appendix 

G:  BCP 
Compo¬ 
nents 

6.7.3 

6.3.3 

6.3.4 

6.3.7 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

COMM:SG2.SP3  Identify 
and  Assign  Plan  Staff 

Subpractices 

1.  Develop  detailed  job 
descriptions  for  each 
role/responsibility 
detailed  in  the 
communications  plan. 

2.  Establish  a  list  of 
candidate  and  skilled 
resources  to  fill  each 
role/responsibility  in  the 
communications  plan. 

3.  Assign  resources  to 

communication 
processes  roles  and 
responsibilities. 

4.  Ensure  that 
organizational  training  is 
provided  to 
communications  staff 
with  respect  to  the 
specific  resilience 
communication  roles 
they  perform. 


CMU/SEI-201 1-TN-012  |  21 


CERT®  Resilience 


Commercial  Standards  and  Practices 


Management  Model 

vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

COMM:SG3  Deliver 
Resilience  Communications 


COMM:SG3.SPl  Identify 

Communications  Methods 

and  Channels 

Subpractices 

1.  Inventory 
communications 
methods  and  channels 
that  currently  exist. 

2.  Identify  the  appropriate 
communications 
methods  and  channels 
for  each  type  of 
stakeholder. 

3.  Identify  communication 
methods  and  channels 
that  do  not  currently 
exist. 


P06.5  6.2.1  6.7.6 

DS5.11  6.6.6  6.11.3.2 


6.3.3 

6.3.7 

6.3.8 


4.  Identify  tools,  techniques, 
and  methods  required  to 
use  the  identified 
methods  and  channels. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 

Process  Area  Specific  iso/iec  iso/iec  iso/iec  iso/iec  iso/iec 

Goals  and  Specific  ANSI/ASIS  BS25999-1:  COBIT  FFIEC  BCP  20000-2:  24762:  27002:  27005:  31000:  NFPA  PCI: 

Practices  SPC.l-2009  2006  CMMI-Dev  CMMI-Svc  4.1  Handbook  2005(E)  2008(E)  2005(E)  2008(E)  2009(E)  1600  2009 


COMM:3.SP2  Establish  and  P06.5  6.2.1  6.7.1  6.3.3 

Maintain  Communications  r  ^  n 

o.I.Z  b.o.b 

Infrastructure 

6.7.5  6.3.6 

Subpractices 

6.7.6  6.3.7 

1.  Identify  and  inventory 

existing  communications  6.11.3.2  6.3.8 

infrastructure  and 

capabilities  that  may  be 

able  to  meet  plan  and 

program  objectives  and 

communications 

requirements. 

2.  Identify  infrastructure 
needs  to  support 
communications 
requirements,  methods, 
and  channels. 

3.  Implement  and  maintain 
communications 
infrastructure. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

COMM:SG4  Improve 
Communications 


COMM:SG4.SPl  Assess  6.3.3 

Communications  ^  ^ 

Effectiveness 

Subpractices 

1.  Establish  and  implement 
a  formal  communications 
review  activity. 

2.  Prepare  an  analysis 
report  on  the 
effectiveness  of  the 
communications 
activities. 

3.  Compare  outcomes  of 
communications 
processes  with  plan 
objectives  and 
expectations. 

4.  Document  suggested 
improvements  to  the 
communications  plan  and 
program  based  on  the 
evaluation  of  the 
effectiveness  of 
awareness  activities. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

COMM:SG4.SP2  Improve  IPM:SP2  IPM:SP2 

Communications 

Subpractices 

1.  Review  results  of 
communications 
assessment  activities  and 
effectiveness  analysis 
reports. 

2.  Review  communication 
processes,  plans,  and 
programs  and  update  for 
any  perceived 
deficiencies  or  omissions. 

3.  Revise  the 
communication  methods, 
channels,  and  supporting 
work  products  as 
necessary. 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009  2006  CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

CERT®  Resilience 
Management  Model 
vl.l 


Commercial  Standards  and  Practices 


COMP  -  Compliance 


COMP :SG1  Prepare  for 
Compliance  Management 


C0MP:SG1.SP1  Establish  a 
Compliance  Plan 

Subpractices 

1.  Develop  a  strategic  plan 
for  managing  compliance. 

2.  Establish  sponsorship  and 
resource  commitments 
for  the  compliance  plan. 

3.  Revise  the  plan  and 
commitments  on  a  cycle 
commensurate  with  the 
organization's  strategic 
planning  process. 


VER:SP1.2 

VER:SP2.1 


ME3.1 


6.14.6.1 

6.15.1 


4.5.1 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 

ISO/I  EC  ISO/IEC  ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2:  24762:  27002: 

27005: 

31000:  NFPA  PCI: 

Practices 

SPC.1-2009  2006 

CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005(E)  2008(E)  2005(E) 

2008  (E) 

2009  (E)  1600  2009 

COMP:SGl.SP2  Establish  a 

VER:SP1.2 

6.14.6.1 

4.5.2 

Compliance  Program 

VER:SP2.1 

6.15.1 

Subpractices 

1.  Establish  a  compliance 
program. 

2.  Assign  resources  to 
compliance  program. 

3.  Provide  funding  for  the 
compliance  program. 

4.  Provide  sponsorship  and 
oversight  to  the 
compliance  program. 


COMP:SGl.SP3  Establish 
Compliance  Guidelines  and 
Standards 

Subpractices 

1.  Develop  and 

communicate  compliance 
guidelines  and  standards. 


VER:SP1.3 


ME3.2 

P06.4 


Appendix 
A:  Exami¬ 
nation 
Procedures 


6.14.6.1  5.1.1 

6.14.6.3 

6.15.2 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 


vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

Goals  and  Specific  ansi/asis 

BS25999-1: 

COBIT  FFIEC  BCP 

20000-2: 

24762: 

Practices  spc.1-2009 

2006 

CMMI-Dev 

CMMI-Svc  4.1  Handbook 

2005  (E) 

2008  (E) 

ISO/IEC 

ISO/IEC 

ISO/IEC 

27002: 

27005: 

31000: 

NFPA 

PCI: 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

COMP.SG2  Establish 


Compliance  Obligations 


C0MP:SG2.SP1  Identify 
Compliance  Obligations 

Subpractices 

1.  Interview  service  owners, 
auditors,  and  legal  to 
identify  compliance 
obligations. 

2.  Identify  compliance 
obligations  that  the 
organization  may  have  to 
satisfy  because  of  its 
external  entity 
affiliations. 

3.  Identify  internal  policies 
and  procedures  that 
should  be  included  in  the 
inventory  of  compliance 
obligations. 


P03.3 

Business 

Impact 

4.1.3 

6.10.2 

15.1.1 

ME3.1 

Analysis 

6.2.1 

6.14.3 

15.2.1 

ME4.7 

Other 

Policies, 

6.6.6 

6.15.2 

6.1.2 

Standards, 
and  Pro¬ 

9.1.5 

6.15.3 

cesses 

7.6.3 

Appendix 

A:  Exami¬ 
nation 

Procedures 

Appendix  1: 
Laws, 

Regula¬ 
tions,  and 
Guidance 

5.2.2 

5.4.3 
6.11.6 


4.  Identify  sources  of 

potential  new  compliance 
obligations. 


5.  Develop  an  inventory  of 
compliance  obligations. 
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cert®  Resilience  Commercial  Standards  and  Practices 


Management  Model 
vl.l 


Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

COMP:SG2.SP2  Analyze 

PPQA:SP1.1 

PPQA:SP1.1 

P03.3 

4.1.3 

5.4.3 

Obligations  VER:SP2.2 


Subpractices  VER:SP3.1 

1.  Establish  technique  for 
performing  analysis  on 
compliance  obligations. 

2.  Analyze  compliance 
obligations  and 
document  results. 

3.  Identify  conflicting 
obligations. 


COMP:SG2.SP3  Establish 

Ownership  for  Meeting 

Obligations 

Subpractices 

1.  Establish  the  owner  for 
each  compliance 
obligation. 

2.  Establish  training 
requirements  for 
compliance  roles,  if 
necessary. 

3.  Identify  compliance 
obligations  that  have  not 
been  assigned  or 
accepted. 


PPQA:SP2.1  PPQA:SP2.1  P04.8 


6.10.3  15.1.1 


DS5.2 


6.14.6.1 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/IEC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

COMP:SG3  Demonstrate 

Satisfaction  of  Compliance 

Obligations 

COMP:SG3.SPl  Collect  and 

Validate  Compliance  Data 

VER:SP2.3 

VER:SP3.2 

ME4.7 

DS5.5 

Appendix 

A:  Exami¬ 
nation 

Procedures 

9.1.5 

6.14.6.1 

15.2.1 

Subpractices 

1.  Develop  strategies  for 
data  collection  and 
validation. 

2.  Establish  compliance 
knowledgebase  or 
information  repository. 

3.  Implement  processes  for 
data  validation  and 
integrity  checking. 

ME2.4 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

COMP:SG3.SP2 

ME3.5 

Appendix 

A:  Exami- 

9.1.5 

15.2.1 

Demonstrate  the  Extent  of 

Compliance  Obligation 

Satisfaction 

ME4.7 

DS5.5 

nation 

Procedures 

Subpractices 

1.  Establish  minimum 
requirements  for 
compliance. 

2.  Determine  the 
stakeholders  of  the 
compliance  reports  and 
data. 

3.  Prepare  and  submit 
compliance  reports  as 
necessary. 

4.  Track  progress  against 
compliance  obligations 
and  identify  obligations 
that  may  not  be  met  on 
time. 

5.  Identify  risks  and 
potential  costs  of  non- 
compliance. 

6.  Identify  areas  that  may 
need  remediation  for 
compliance  purposes. 

7.  Gather  performance  data 
on  the  achievement  of 
compliance  obligations. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

COMP:SG3.SP3  Remediate 
Areas  of  Non-Compliance 

Subpractices 

1.  Identify  areas  of 
suggested  remediation. 

2.  Analyze  areas  of 
suggested  remediation 
and  develop  detailed 
remediation  plans. 

3.  Assign  resources  to 
perform  remediation. 

4.  Track  remediation 
activities  to  completion. 

5.  Assess  remediation 
activities  to  determine  if 
satisfaction  of 
compliance  obligations 
has  been  achieved. 

6.  Update  satisfaction  of 
compliance  obligations 
(as  a  result  of 
remediation),  if 
appropriate. 


PPQA:SP2.1  PPQA:SP2.1  ME3.4  6.10.2  15.2.1 

ME4.7 
DS5.5 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 

vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

COMP:SG4  Monitor 
Compliance  Activities 

COMP:SG4.SPl  Evaluate  4.5.2. 1  ME3.2  6.14.6.2  15.2.2  4.5.3 

Compliance  Activities  ME3  3 

Subpractices 

1.  Establish  and  maintain 
clearly  stated  criteria  for 
evaluations. 

2.  Evaluate  compliance 
processes  for  adherence 
to  compliance  standards 
and  guidelines  for 
meeting  compliance 
obligations  using  the 
stated  criteria. 

3.  Identify  deficiencies  and 
areas  for  improvement, 
particularly  where  the 
satisfaction  of 
compliance  obligations 
has  been  impaired. 

4.  Identify  and  apply  lessons 
learned  that  could 
improve  the 
organization's 
compliance  process. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

CTRL  -  Controls  Management 

CTRLSGl  Establish  Control 

Objectives 

CTRLSGl. SP1  Define 

AI2.3 

6.4.1 

10.4 

Control  Objectives 

P06.1 

6.4.2 

10.5 

Subpractices 

P06.2 

6.4.3. 1 

10.6 

1.  Identify  management 

directives  and 
organizational  guidelines 
upon  which  to  base  the 
definition  of  control 
objectives. 

PO10.12 

6. 4. 3. 2 

10.7 

12.3.1 

2.  Define  and  document 

control  objectives  that 
result  from  management 
directives  and  guidelines. 

3.  Prioritize  control 

objectives. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Plandbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

CTRLSG2  Establish  Controls 

CTRLSG2.SP1  Define 

6.4.1 

10.4,5,6,7 

9.2 

Controls 

6.4.2 

11.2,3,4,5 

9.3 

Subpractices 

6.4.3. 1 

11.6,7 

1.  Establish  enterprise-level 

controls  to  satisfy  control 
objectives. 

6.4.3. 2 

12.3.1 

2.  Confirm  or  assign 

responsibility  for 
implementing  enterprise- 
level  controls. 

3.  Establish  service-  and 

asset-level  controls  to 
satisfy  control  objectives. 

4.  Confirm  or  assign 

responsibility  for 
implementing  service- 
and  asset-level  controls. 

5.  Develop  a  bi-directional 

traceability  matrix  that 
maps  control  objectives 
and  enterprise-,  service-, 
and  asset-level  controls. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Elandbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

CTRL-3:  Analyze  Controls 

CTRLSG3.SP1  Analyze 

AI3.2 

8.2. 1.4 

Controls 

AI2.3 

Subpractices 

ME2.3 

l.  Analyze  existing  controls 

against  control 
objectives. 

ME2.4 

2.  Identify  gaps  where  an 

existing  control  does  not 
fully  meet  one  or  more 
control  objectives. 

3.  Identify  gaps  where 

enterprise  control 
objectives  for  the 
resilience  of  services, 
assets,  and  service 
control  objectives  are  not 
adequately  satisfied  by 
existing  controls. 

4.  Identify  updates  to 

existing  controls  and 
proposed  new  controls  to 
address  gaps. 

5.  Identify  redundant  and 

conflicting  controls  and 
changes  to  address  them. 

6.  Identify  risks  that  may 

result  from  unsatisfied 
control  objectives  as  well 
as  redundant  and 
conflicting  controls. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific  ansi/asis 

BS25999-1: 

COBIT  FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA  PCI: 

Practices  spc.1-2009 

2006 

CMMI-Dev  CMMI-Svc 

4.1  Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600  2009 

CTRLSG4  Assess  Control 

Effectiveness 

CTRLSG4.SP1  Assess 

AI3.2 

6.1.2 

8.2. 1.4 

Controls 

AI2.3 

6.1.8 

Subpractices 

1.  Select  the  scope  for  the 
assessment. 


2.  Perform  the  assessment. 

3.  Identify  problem  areas. 

4.  Identify  updates  to 
existing  controls  and 
proposed  new  controls  to 
address  problem  areas. 

5.  Identify  updates  to 
service  continuity  plans 
that  may  result  from 
changes  to  the  internal 
control  system. 

6.  Identify  risks  that  may 
result  from  unresolved 
problems. 
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CERT®  Resilience 
Management  Model 
vl.l 


Commercial  Standards  and  Practices 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009  2006  CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EC  -  Environmental  Control 


EC:SG1  Establish  and 
Prioritize  Facility  Assets 


EC:SG1.SP1  Prioritize 
Facility  Assets 

Subpractices 

1.  Compile  a  list  of  high- 
value  facility  assets  from 
the  organization's  asset 
inventory. 

2.  Prioritize  facility  assets. 

3.  Periodically  validate  and 
update  the  list  of  critical 
facility  assets  based  on 
operational  and 
organizational 
environment  changes. 


6.4 


Appendix 
G:  BCP 
Compo¬ 
nents 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 


vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EC:SG1.SP2  Establish  6.4 

Resilience-Focused  Facility  „  _ 

O.  J. 

Assets 

Subpractices 

1.  Compile  a  list  of 
resilience-focused  facility 
assets  from  the 
organization's  asset 
inventory. 

2.  Periodically  reconcile  the 
list  of  resilience-focused 
facilities  to  the 
organization's  services 
continuity  plans  and 
resilience-focused 
strategies. 


DS4.8  Appendix  gl2  g.l  9.1  6.1.4 

G:  BCP 

Compo-  64?  61 

nents 

6.5 

6.6.1. 3 

6.8.4 

6.10.1 

6.11.3.3 

6.11.3.4 

6.11.4 
6.12.1 
6.12.2.3 
6.12.5.2 
6.12.7,  8 

6.13.2.3.4 
6.14.1 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EC:SG2  Protect  Facility 
Assets 


EC:SG2.SP1  Assign 

Resilience  Requirements  to 

Facility  Assets 

Subpractices 

1.  Assign  resilience 
requirements  to  facility 
assets. 

2.  Document  the 
requirements  (if  they  are 
currently  not 
documented)  and  include 
in  the  asset  definition. 


DS12.1  5.4  6.2.2 

DS12.2  5.3.3  6.2.3 

DS4.8  5.7.1  6.2.4 

6.2  6.2.5 

6.3.1  6.2.6 

6.4.1. 2  6.2.7 

6.4. 3. 1.3.2  6.2.8 

6. 4. 5. 4  6.2.9 


6.4.7 

6.4.10,11 

6.4.12,13 

6.5 

6.6.1. 3 

6.10.1,4 

6.12.2.3 

6.12.5.2 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 

ISO/I  EC  ISO/IEC  ISO/IEC  ISO/IEC  ISO/IEC 

Goals  and  Specific  ansi/asis 

BS25999-1: 

COBIT  FFIEC  BCP  20000-2:  24762:  27002:  27005:  31000:  NFPA  PCI: 

Practices  spc.1-2009 

2006 

CMMI-Dev  CMMI-Svc 

4.1  Handbook  2005(E)  2008(E)  2005(E)  2008(E)  2009(E)  1600  2009 

EC:SG2.SP1  Assign 

6.12.7,8 

Resilience  Requirements  to 

6.13.2,3,4 

Facility  Assets 

6.14.2 

Subpractices 

6.6.3 

l.  Assign  resilience 

requirements  to  facility 

assets. 

2.  Document  the 

requirements  (if  they  are 

currently  not 

documented)  and  include 

in  the  asset  definition. 
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CERT®  Resilience 
Management  Model 
vl.l 


Commercial  Standards  and  Practices 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Flandbook 

2005  (E) 

2008  (E) 

2005  (E) 

EC:SG2.SP2  Establish  and 

DS12.1 

5.4 

9.1 

5.7.1 

Implement  Controls 

DS12.2 

6.3 

6.4.1 

9.2. 1,3, 4, 5 

Subpractices 

DS12.3 

9.2.7 

1.  Establish  and  implement 

DS12.4 

6.4.2 

10.1.1,3,4 

administrative  controls 
for  facility  assts. 

6.4.3. 1 

10.6.1 

2.  Establish  and  implement 

6.4.3. 2 

10.8.5 

technical  controls  for 
facility  assets. 

6. 4. 3. 3 

6.4.5, 7 

11.6.2 

3.  Establish  and  implement 

physical  controls  for 
facility  assets. 

6.4.10,11 

11.7.1,2 

4.  Establish  and  specify 

6.4.12,13 

15.1.3,4 

controls  over  the  design, 
construction,  or  leasing 

6.6.1 

15.3.2 

(acquisition)  of  facility 

6. 8. 5. 4, 5 

assets. 

6.9.2 

5.  Monitor  the  effectiveness 

of  administrative, 
technical,  and  physical 
controls,  and  identify 
deficiencies  that  must  be 
resolved. 

6.10.1.4 

6.12.2.3 

6.12.2,5,6 

6.12.7,8 

6.13.2.3.4 

6.14.2 

ISO/IEC 
27005: 
2008  (E) 


ISO/IEC 
31000: 
2009  (E) 


NFPA 

1600 


PCI: 

2009 


13.1 
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CERT®  Resilience 
Management  Model 
vl.l 


Commercial  Standards  and  Practices 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Elandbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EC:SG3  Manage  Facility 

Asset  Risk 

EC:SG3.SP1  Identify  and 

Assess  Facility  Asset  Risk 

DS12.2 

Risk  Man¬ 
agement 

6.7.1 

6.73,4,5 

6.2.2 

6.2.3, 4, 5 

5.4.3 

5.6.1 

Subpractices 

6.8.1, 3,4 

6.2.6, 7, 8, 9 

5.6.2 

1.  Determine  the  scope  of 
risk  assessment  for 
facility  assets. 

2.  Identify  risks  to  facility 
assets. 

6.8.5. 1.2.3 

6.9.3 

6.14,15 

11.7.1,2 

5.6.3 

3.  Analyze  risks  to  facility 

assets. 

8.2 

4.  Categorize  and  prioritize 

risks  to  facility  assets. 

9.4.2 

5.  Assign  a  risk  disposition 
to  each  facility  asset  risk. 

6.  Monitor  the  risk  and  the 
risk  strategy  on  a  regular 
basis  to  ensure  that  it 
does  not  pose  additional 
threat  to  the 
organization. 

7.  Develop  a  strategy  for 
those  risks  that  the 
organization  decides  to 
mitigate. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EC:SG3.SP2  Mitigate 
Facility  Risks 

Subpractices 

1.  Develop  and  implement 
risk  mitigation  strategies 
for  all  risks  that  have  a 
"mitigation"  or  "control" 
disposition. 

2.  Validate  the  risk 
mitigation  plans  by 
comparing  them  to 
existing  protection  and 
sustainability  strategies. 

3.  Identify  the  person  or 
group  responsible  for 
each  risk  mitigation  plan 
and  ensure  that  they 
have  the  authority  to  act 
and  the  proper  level  of 
skills  and  training  to 
implement  and  monitor 
the  plan. 

4.  Address  residual  risk. 

5.  Implement  the  risk 
mitigation  plans  and 
provide  a  method  to 
monitor  the  effectiveness 
of  these  plans. 

6.  Monitor  risk  status. 

7.  Collect  performance 
measures  on  the  risk 
management  process. 


DS12.2 


Risk  Man¬ 
agement 


6.2.10  9.1 

11.7.1 

11.7.2 


5.6.1 

5.6.2 

5.6.3 
5.7 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

EC:SG4  Control  Operational 

Environment 

EC:SG4.SP1  Perform  Facility 

Sustainability  Planning 

Subpractices 

1.  Perform  business  impact 
analysis. 

2.  Develop  service 
continuity  plans  that 
address  facility 
availability. 

7.4 

DS12.1 

6.3.4 

6.1 

6.6.1 

9.1.1 

9.2.1 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Flandbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008(E) 

2009  (E) 

1600 

2009 

EC:SG4.SP2  Maintain 

DS12.4 

5.2 

9.1.1 

Environmental  Conditions 

DS12.5 

5  3  3 

9.2. 1,2,4 

Subpractices 

1.  Identify  control  systems 

that  require  regular 
maintenance. 

6.1,2 

6.3.8 

2.  Document  equipment 

supplier's  recommended 
service  intervals  and 
specifications. 

3.  Document  a  list  of 

maintenance  personnel 
authorized  to  carry  out 
repairs  and  service. 

4.  Document  all  suspected 

or  actual  faults  and  all 
preventative,  corrective, 
and  other  types  of 
maintenance. 

6.6.1, 2 

6.6.4 

6.9.3 

6.10.4,5 

6.12.2.3.4 

6.14 

6.14.6.4 

5.  Implement  maintenance 

and  test  maintenance 
changes  in  a  non- 
operational  environment. 

6.14.8 

6.14.11 

6.  Establish  appropriate 

controls  over  sensitive  or 
confidential  information 

when  maintenance  is 
performed. 

7.  Communicate 

maintenance  change 
notification  to 
appropriate  entities. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008(E) 

2009  (E) 

1600 

2009 

EC:SG4.SP2  Maintain 

Environmental  Conditions 

Subpractices  (continued) 

8.  Implement  maintenance 
according  to  change 
request  procedures. 

9.  Document  and 
communicate  results  of 
maintenance. 


EC:SG4.SP3  Manage  8.5.8 

Dependencies  on  Public 

Services 

Subpractices 

1.  Identify  and  document 
public  services  on  which 
facilities  rely. 


SD:SP1.1 

SD:SP1.2 

SD:SP2.1 

SD:SP2.2 

SD:SP2.3 


Risk  Man-  6  12 
agement 

6.3.4 


5.5.1 
5.8.2, 4,5 

6.1 
6.2.8 
6.2.9 


6.1.6 

9.2. 1,2 


2.  Develop  a  key  contact  list  SD:SP3.3  6.8.2 

for  organizational 

services  that  can  be  6.10.5 

included  as  part  of 
service  continuity  plans. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 


vl.l 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EC:SG4.SP4  Manage 

Dependencies  on  Public 

Infrastructure 

SD:SP1.1 

SD:SP1.2 

Risk  Man¬ 
agement 

6.1.2 

6.3.4 

5.5.1 

5.8.2, 3,4,5 

6.1.6 

9.2.1 

SD:SP2.1 

6.1 

9.2.2 

Subpractices 


1.  Identify  and  document 
internal  infrastructure 
dependencies  that  the 
organization  relies  upon 
to  provide  services. 


SD:SP2.2 

SD:SP2.3 

SD:SP3.3 


6. 2.8,9 

6.7.5 

6.8.2 


2.  Identify  and  document 
external  resources  that 
the  organization  relies 
upon  to  provide  services. 


6.9.3 

6.10.5 


3.  Develop  a  key  contact  list 
for  public  infrastructure 
services  that  can  be 
included  as  part  of  the 
service  continuity  plans. 


4.  Update  service  continuity 
plans  as  appropriate. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EC:SG4.SP5  Plan  for  Facility  6.14.7  9.2.6 

Retirement 

Subpractices 

1.  Develop  a  plan  for  facility 
retirement. 

2.  Develop  and  implement 
service  continuity  plans 
to  support  the  retirement 
of  the  facility  asset. 

3.  Archive  facility  work 
products. 

4.  Retire  the  facility  by 
executing  the  retirement 
plan. 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Flandbook 

ISO/IEC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

EF  -  Enterprise  Focus 

EF:SG1  Establish  Strategic 

Objectives 

EF:SG1.SP1  Establish 

Strategic  Objectives 

6.1.1 

DAR:SP1.1 

IPMJPPD: 

DAR:SP1.1 

P01.2 

P01.4 

Board  and 

Senior 

Manage- 

5.1.1 

5.1.2 

Subpractices 

1.  Identify  the 
organization's  mission, 
vision,  values,  and 
purpose. 

2.  Identify  the 
organization's  strategic 
objectives. 

SP3.1 

ME4.2 

ment  Re¬ 
sponsibility 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 

ISO/I  EC  ISO/IEC  ISO/IEC  ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT  FFIEC  BCP  20000-2:  24762:  27002:  27005: 

31000:  NFPA  PCI: 

Practices 

SPC.1-2009  2006  CMMI-Dev 

CMMI-Svc 

4.1  Handbook  2005(E)  2008(E)  2005(E)  2008(E) 

2009  (E)  1600  2009 

EF:SG1.SP2  Establish 

6.1.1  DAR:SP1.2 

DAR:SP1.1 

POl  2  Business 

5.5.3 

Impact 

Critical  Success  Factors 

6.1.2 

ME4.2  Analysis 

Subpractices 


1.  Collect  data  to  support 
the  development  of 
critical  success  factors. 

2.  Consolidate  and  analyze 
critical  success  factor 
data. 

3.  Derive  the  critical  success 
factors  for  the 
organizations. 

4.  Perform  affinity  analysis 
between  strategic 
objectives  and  critical 
success  factors. 

5.  Identify  the  key 
performance  indicators 
to  measure 

accomplishment  of  each 
critical  success  factor. 

6.  Monitor  the 
accomplishment  of 
critical  success  factor  and 
take  corrective  action  as 
necessary. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EF:SG1.SP3  Establish  6.1.1 

Organizational  Services  6  12 

Subpractices  6  ^ 

1.  Inventory  organizational 
services  and  develop 
service  repository. 

2.  Document  service 
attributes  in  a  service 
profile. 

3.  Perform  affinity  analysis 
between  organizational 
services  and  objective 
measures  such  as 
strategic  objectives  and 
critical  success  factors. 

4.  Define  high-value 
services  from  the 
organization's  standard 
services  repository. 

5.  Revise  the  organization's 
service  profiles  and 
services  repository  and 
service  levels  as 
necessary. 


P01.2 


Board  and 
Senior 
Manage¬ 
ment  Re¬ 
sponsibility 

Business 

Impact 

Analysis 


3.1 

4.1.4 

5.1 

5.2 

6. 1.1.2 

6. 1.3.4 


7.3.3 


CMU/SEI-201 1-TN-012  |  52 


cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 


vl.l 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EF:SG2  Plan  for  Operational 

Resilience 

EF:SG2.SP1  Establish  an 

4.4.4 

PP:SP2.7 

P01.5 

Board  and 

Senior 

3.1 

5.1.1 

Operational  Resilience 

P06.3 

Manage¬ 
ment  Re- 

4.1.4 

6.1.2 

Management  Plan 

DS5.2 

sponsibility 

6.6.6 

Subpractices 


1.  Develop  the  resilience 
management  plan. 

2.  Establish  commitments 
to  the  plan. 

3.  Revise  the  plan  and 
commitments  on  a  cycle 
commensurate  with  the 
organization's  strategic 
business  planning 
process. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

3.1  5.1.1 

4.1.4  6.1.2 

6.6.6 

Subpractices 

P04.5 

1.  Establish  the  operational 

resilience  management  P04.6 

program. 

2.  Fund  the  operational  P04.7 

resilience  management 

program. 

3.  Assign  resources  to  the 
operational  resilience 
management  program. 

4.  Provide  oversight  to  the 
operational  resilience 
management  program. 

5.  Gather  performance  data 
on  the  achievement  of 
strategic  resilience 
objectives. 


EF:SG2.SP2  Establish  an  4.1.1 
Operational  Resilience 
Management  Program 


4.4.4 


P01.5 

P01.6 

P04.4 


Board  and 
Senior 
Manage¬ 
ment  Re¬ 
sponsibility 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 


vl.l 


Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

EF:SG3  Establish 

Sponsorship 

EF:SG3.SP1  Commit  4.4.1 

Funding  for  Operational 
Resilience  Management 

Subpractices 

1.  Develop  the  business 
case  for  the  operational 
resilience  management 
program  and  process. 

2.  Establish  operational 
resilience  management 
program  and  process 
funding  as  a  regular  part 
of  the  organization's 
strategic  plan  budgeting 
(capital  and  expense) 
exercise. 

3.  Approve  allocation  of 
funding  to  operational 
resilience  management 
program  and  process 
activities. 


POl.l  3.1  6.1.1 

DS5.2  4.1.4  14.1.1 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Flandbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EF:SG3.SP2  Promote  a 

4.4.2 

5.4.2 

6.6.6 

6.1.1 

4.1.1 

Resilience-Aware  Culture 

10.1 

10.9 

4.1.2 

Subpractices 

l.  Establish  a  plan  for  visible 

promotion  of  a  resilience- 
aware  culture  with 
appropriate  success 
metrics. 

2.  Establish  performance 

management  of  higher 
level  managers  for 
resilience. 

3.  Establish  rewards  and 

recognition  programs  to 
support  resilience 
acculturation. 

4.  Measure  to  the  extent 

possible  the  level  of 
acculturation  of  resilience 

awareness  that  is  the 
direct  result  of 
sponsorship. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Flandbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EF:SG3.SP3  Sponsor 

4.2.1 

5.2 

P06.1 

3.1 

5.1.1 

4.1.1 

Resilience  Standards  and 

10.1 

DS5.1 

3.2 

6.1.1 

4.1.2 

Policies 

6.6.6 

7.1.3 

11.6.1 

4.1.3 

Subpractices 

l.  Establish  policy 

statements  reflecting 
senior  management's 
commitment  to  managing 
resilience. 

CMU/SEI-201 1-TN-012  |  57 


cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT  FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA  PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev  CMMI-Svc 

4.1  Flandbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600  2009 

EF:SG4  Provide  Resilience 

Oversight 

EF:SG4.SP1  Establish 

4.4.1 

5.2.1 

P01.6 

5.1.2 

4.3.1 

Resilience  as  a  Governance  ^ 

Focus  Area 

P04.3 

Subpractices 

ME4.1 

1.  Establish  a  governance 

framework  for  the  ^ 

operational  resilience 
management  system. 

2.  Assign  roles  and 
responsibilities  for 
governance  over  the 
operational  resilience 
management  system. 

3.  Identify  the  procedures, 
policies,  standards, 
guidelines,  and 
regulations  that  will  form 
the  basis  for  resilience 
governance  activities. 


4.3.2 

4.3.3 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Flandbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EF:SG4.SP2  Perform 

5.2.2 

P01.6 

3.1 

5.1.2 

4.4 

Resilience  Oversight 

P04.2 

3.2 

Subpractices 

P04.3 

l.  Identify  key  governance 

stakeholders. 

ME4.6 

2.  Establish  governance 

dashboard  or  scorecard 
for  measuring  and 
managing  operational 
resilience  management 
system  performance. 

DS5.1 

3.  Monitor  and  collect  data 

for  measuring  key 
indicators  and  metrics 
and  reporting  on  these 
indicators  to  key 
stakeholders. 

4.  Review  audit  reports  on  a 

regular  basis  for 
indicators  of  problems. 

5.  Establish  a  process  for 

handling  exceptions  to 
the  organization's 
acceptable  behaviors. 

6.  Establish  reporting 

procedures  to 
communicate  results  of 
measurement  against 
indicators  to  governance 
stakeholders. 

7.  Provide  reports  on 

performance  to 
governance  stakeholders. 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Flandbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

EF:SG4.SP3  Establish 

Corrective  Actions 

P01.6 

ME4.6 

5.1.1 

5.1.2 

Subpractices 


1.  Identify  and  analyze 
(measurements  of)  key 
indicators  that  do  not 
meet  established  metrics. 

2.  Develop  corrective 
actions  to  close  perceived 
gaps. 

3.  Identify  persons  or 
groups  responsible  for 
implementing  and 
managing  corrective 
actions. 

4.  Report  on  the  success  of 
the  corrective  actions  to 
key  stakeholders. 

5.  Perform  root-cause 
analysis  to  determine 
underlying  causes  of 
process  variation  for 
continuous  improvement. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EXD  -  External  Dependencies 

EXD-.SGl  Identify  and 

Prioritize  External 

Dependencies 

EXD:SG1.SP1  Identify 

6.1 

SAM:SP1.2 

SAM:SP1.2 

P08.4 

Appendix 

E:  Interde- 

6.1.2 

6.7.2 

6.1.6 

5.2.1 

External  Dependencies 

6.4 

SD:SP1.1 

AI5.1 

pendencies 

6.1.3 

5.5.1 

6.1.7 

5.2.4 

Subpractices 

7.7.2 

DS2.1 

7.3.3 

5.5.2 

10.2.1 

6.2 

1.  Establish  a  process  for 

creating  and  maintaining 
the  list  of  external 
dependencies  and 
entities. 

8.5.8 

2.  Establish  a  set  of 

information  that  is 

collected  and  stored  to 
define  each  external 
dependency  and  the 
responsible  external 
entity. 

3.  Review  the  organization's 

asset  inventory  to  ensure 
that  any  external  entities 
that  possess,  develop, 
control,  operate,  or 
otherwise  influence  high- 
value  assets  are 
identified  as  external 
dependencies. 

CMU/SEI-201 1-TN-012  |  61 


cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EXD:SG1.SP1  Identify 
External  Dependencies 

Subpractices  (continued) 

4.  Review  the  organization's 
list  of  services  to  identify 
services  that  are  subject 
to  external 

dependencies;  add  any 
such  dependencies  to  the 
list  of  external 
dependencies. 

5.  Review  supplier  and 
customer  databases  to 
identify  additional 
external  dependencies. 

6.  Review  current  contracts 
and  SLAs  to  identify 
additional  external 
dependencies. 

7.  Update  the  external 
dependency  list  on  a 
regular  basis. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EXD:SG1.SP2  Prioritize  7.7.2 

External  Dependencies 

Subpractices 

1.  Establish  prioritization 
criteria  and  scheme  for 
external  dependencies. 

2.  Apply  the  prioritization 
criteria  to  the  list  of 
external  dependencies  to 
produce  a  prioritized  list. 

3.  Periodically  validate  and 
update  the  prioritization 
criteria  and  scheme 
based  on  changes  to  the 
operational  environment. 

4.  Periodically  update  the 
prioritized  list  of  external 
dependencies  based  on 
changes  in  the 
prioritization  criteria  and 
scheme,  the  operating 
environment,  or  the  list 
of  external  dependencies. 

5.  Perform  affinity  analyses 
to  inform  dependency 
prioritization  and  risk 
identification. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EXD:SG2  Manage  Risks  Due 

to  External  Dependencies 

EXD:SG2.SP1  Identify  and  4.5 

Assess  Risks  Due  to  External 

Dependencies 

Subpractices 

1.  Determine  the  scope  of 
risk  assessment. 

2.  Identify  risks  due  to 
external  dependencies. 

3.  Analyze  risks  due  to 
external  dependencies. 

4.  Categorize  and  prioritize 
risks. 

5.  Assign  a  risk  disposition 
to  each  identified  risk. 


DS2.3  5.5.1  6.2.1 

5.6.5  6.2.2 

6.7.3 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EXD:SG2.SP2  Mitigate  Risks 

4.5 

DS2.3 

5.5.1 

6.2.1 

Due  to  External 

Dependencies 

5.5.2 

6.2.2 

Subpractices 

5.6.5 

1.  Develop  risk  mitigation 

strategies  and  plans  for 
all  risks  due  to  external 
dependencies  that  have  a 
"mitigation"  or  "control" 
disposition. 

6.7.3 

2.  Validate  the  risk 

mitigation  plans  by 
comparing  them  to 
existing  strategies  for 
protecting  and  sustaining 
external  dependencies. 

3.  Identify  the  person  or 

group  responsible  for 
each  risk  mitigation  plan 
and  ensure  that  they 
have  the  authority  to  act 
and  the  proper  level  of 
skills  and  training  to 
implement  and  monitor 
the  plan. 

4.  Monitor  and  manage 

residual  risk. 

5.  Implement  the  risk 

mitigation  plans  and 
provide  a  method  for 
monitoring  their 
effectiveness. 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

EXD:SG2.SP2  Mitigate  Risks 

Due  to  External 

Dependencies 

Subpractices  (continued) 

6.  Monitor  risk  status  on  a 

regular  basis  to  ensure 
that  the  risk,  its 
mitigation  strategy,  and 
its  plan  do  not  pose 
additional  threat  to  the 
organization. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EXD-.SG3  Establish  Formal 

Relationships 

EXD:SG3.SP1  Establish 

SD:SP2.1 

AI5.4 

Risk  Man¬ 
agement 

6.1.2 

5.6 

6.2.2 

Enterprise  Specifications  for 

DS1.1 

6.1.3 

5.8.1 

6.2.3 

External  Dependencies 

5.8.2 

Subpractices 

6.3.4 

1.  Establish  a  list  of 

enterprise-level  6  3  9 

specifications  that  apply 

to  external  dependencies  ^ 

and  entities. 

2.  Include  specifications  to 
adhere  to  relevant 
policies,  standards,  and 
guidelines  (particularly 
those  that  support  or 
affect  the  resilience  of 
the  organization  or  its 
operations)  in  the  list  of 
enterprise  specifications 
for  external 
dependencies  and 
entities. 

3.  Include  relevant 
compliance  and 
regulatory  requirements 
in  the  list  of  enterprise 
specifications  for  external 
dependencies  and 
entities. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EXD:SG3.SP1  Establish 


Enterprise  Specifications  for 
External  Dependencies 

Subpractices  (continued) 

4.  Include  the  enterprise 
specifications  for  external 
dependencies  and 
entities  in  contract  and 
agreement  templates  as 
appropriate. 

5.  Review  and  update  the 
enterprise  specifications 
for  external 
dependencies  and 
entities  on  a  regular 
basis. 

6.  Ensure  that  changes  are 
initiated  to  agreements 
with  external  entities 
when  the  enterprise 
specifications  change. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EXD:SG3.SP2  Establish 
Resilience  Specifications  for 
External  Dependencies 

Subpractices 

1.  For  each  external 
dependency,  establish  a 
list  of  resilience 
specifications  that  apply 
to  the  responsible 
external  entity. 

2.  Include  specific 
characteristics  of  the 
external  entity  that  are 
required. 

3.  Include  resilience 
requirements  for  assets 
that  will  be  developed, 
provided,  or  maintained 
by  external  entities. 

4.  Include  required 
behaviors,  standards  of 
performance,  and  service 
levels  that  are  required  of 
the  external  entity. 

5.  Periodically  review  and 
update  resilience 
specifications  for  external 
dependencies  and 
entities  as  conditions 
warrant. 


SD:SP2.1  AI5.4  Risk  Man-  55.3  6.2.3 

agement 

SD:SP2.3  DS1.1  5.5.4  10.2.1 

5.5.5  12.5.5 
5.6 

5.8.1 

5.8.2 
6.3.9 

6.7.3 
6.8.2 

6.14.5 
7 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 

ISO/I  EC  ISO/IEC  ISO/IEC  ISO/IEC  ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2:  24762:  27002:  27005:  31000:  NFPA  PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev  CMMI-Svc 

4.1 

Handbook 

2005  (E)  2008  (E)  2005  (E)  2008  (E)  2009  (E)  1600  2009 

EXD:SG3.SP3  Evaluate  and 

4.5 

AI5.3 

5.6.6 

Select  External  Entities 

6.7.2 

Subpractices 

6.8.2 

1.  Establish  a  selection 

6.14.5 

process  for  external 

entities  that  includes  y 

consideration  of 
applicable  specifications. 

0.4 

2.  Establish  external  entity 

selection  criteria.  8.5 

3.  Include  the  resilience 
specifications  for  external 
entities  in  RFPs,  other 
solicitations  of  interest, 
and  other  documents  or 
processes  that  are 
designed  to  identify 
and/or  qualify  candidate 
external  entities. 

4.  Evaluate  external  entities 
based  on  their  abilities  to 
meet  the  resilience 
specifications  and  in 
accordance  with  the 
established  selection 
criteria. 

5.  Perform  due  diligence  on 
candidate  external 
entities.  Approve 
allocation  of  funding  to 
resilience  engineering 
program  and  process 
activities. 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EXD:SG3.SP3  Evaluate  and 
Select  External  Entities 


Subpractices  (continued) 

6.  Select  external  entities 
and  document  the 
selection  and  decision 
rationale. 

7.  If  any  resilience 
specifications  are  unmet 
by  the  selected  external 
entity,  revise  the 
selection  criteria  to 
adjust  the  specifications 
or  treat  the  unmet 
specifications  as 
identified  risks  in 
EXD:SG2.SP1. 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EXD:SG3.SP4  Formalize 

5.5 

SAM:SP1.3 

SAM:SP1.3 

AI5.4 

6.1.2 

5.5.3 

6.2.3 

6.2.2 

Relationships 

SAM:SP2.1 

SAM:SP2.1 

DS1.3 

6.1.3 

5.5.4 

10.8.2 

6.2.3 

Subpractices 

SD:SP1.2 

DS1.4 

7.2.1 

5.5.5 

1.  Select  an  agreement  type 

that  best  fits  the 

DS2.2 

7.3.1 

5.6 

performance  standards 
required  by  the 

7.3.2 

5.8.1 

organization  and  that  is 
enforceable  if  problems 

7.3.3 

5.8.2 

arise. 

2.  Properly  document  the 

6.3.5 

agreement  terms, 
conditions,  specifications, 

6.3.7 

and  other  provisions. 

7.6.2 

3.  Ensure  that  the 

organization  and  the 
external  entity  agree  to 

7.6.4 

all  agreement  provisions 
and  specifications  before 
executing  the  agreement. 

4.  Update  the  agreement  as 
required  throughout  the 
duration  of  the 
agreement  according  to 
provisions  established  in 
the  agreement. 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EXD-.SG4  Manage  External 

Entity  Performance 

EXD:SG4.SP1  Monitor 

4.5 

SAM:SP2.2 

SAM:SP2.2 

AI4.2 

6.1.3 

5.6.4 

10.2.2 

External  Entity  Performance 

SAM:SP2.3 

SAM:SP2.3 

DS1.5 

7.2.1 

5.6.5 

12.5.5 

Subpractices 

SAM:SP2.4 

SAM:SP2.4 

DS1.6 

7.2.2 

6.8.2 

l.  Establish  procedures  and 

responsibility  for 
monitoring  external 

SD:SP3.3 

DS2.4 

7.2.3 

7.5.10 

entity  performance  and 
inspecting  external  entity 

ME2.6 

7.3.1 

7.6.1 

deliverables. 

7.3.3 

7.6.3 

2.  Meet  periodically  with 

7.6.7 

external  entity 

representatives  to  review 
the  result  of  monitoring 

7.10.3 

activities,  the 
specifications  in  the 

7.16.3 

agreement,  and  any 
changes  in  either  the 
organization  or  the 
external  entity  that  might 
impact  performance 
under  the  agreement. 

9.3.1 

3.  Evaluate  any  deviations 

in  the  performance  of  the 
external  entity  from  the 
established  specifications 
to  determine  the  risk  to 
the  organization's 
operation  and  to  inform 
the  selection  of 
corrective  actions. 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Flandbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

EXD:SG4.SP2  Correct 

External  Entity 

Performance 

SAM:SP2.2 

SAM:SP2.3 

SAM:SP2.2 

SAM:SP2.3 

AI4.2 

DS1.6 

6.1.3 

7.2.1 

5.6.5 

6.8.2 

10.2.3 

Subpractices 

1.  Evaluate  alternative 

corrective  actions  to 
select  the  optimal 
corrective  action. 

SAM:SP2.4 

SAM:SP2.4 

SD:SP3.3 

DS2.4 

ME2.7 

7.2.2 

7.3.1 

2.  Communicate  with  the 

external  entity  to  review 
selected  corrective 

actions. 

3.  Implement  selected 

corrective  actions. 

4.  Monitor  as  appropriate 

to  ensure  that  issues  are 
remedied  in  a  timely 

manner. 

5.  Update  the  agreement 

with  the  external  entity 
as  required. 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009  2006  CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

CERT®  Resilience 
Management  Model 
vl.l 


Commercial  Standards  and  Practices 


FRM  -  Financial  Resource  Management 


FRM:SG1  Establish 
Financial  Commitment 


FRM:SG1.SP1  Commit 
Funding  for  Operational 
Resilience  Management 

Subpractices 

1.  Develop  the  business 
case  for  the  operational 
resilience  management 
program  and  process. 

2.  Establish  operational 
resilience  management 
program  and  process 
funding  as  a  regular  part 
of  the  organization's 
strategic  plan  budgeting 
(capital  and  expense) 
exercise. 

3.  Define  the  sources  of 
funds  that  will  be  used  to 
fund  the  operational 
resilience  management 
program  and  process 
activities. 


DS6.1 


3.1 

4.1.4 

6.4.2 


4.7 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

FRM:SG1.SP1  Commit 
Funding  for  Operational 
Resilience  Management 


Subpractices  (continued) 

4.  Approve  allocation  of 
funding  to  operational 
resilience  management 
program  and  process 
activities. 


FRM:SG1.SP2  Establish  P05.1  6.4.1  4.7.4 

Structure  to  Support 

Financial  Management 

Subpractices 

1.  Establish  resilience 

accounting  policies  and 
procedures. 

2.  Establish  resilience 

accounts,  cost  strings, 
and  budgeting  processes. 

3.  Establish  tools  and 

techniques  for  resilience 
financial  management. 

4.  Assign  responsibility  and 
accountability  for 
resilience  budgeting, 
funding,  and  accounting 
activities. 
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CERT®  Resilience 


Commercial  Standards  and  Practices 


Management  Model 
vl.l 

Process  Area  Specific  iso/iec  iso/iec  iso/iec  iso/iec  iso/iec 

Goals  and  Specific  ANSI/ASIS  BS25999-1:  COBIT  FFIEC  BCP  20000-2:  24762:  27002:  27005:  31000:  NFPA  PCI: 

Practices  SPC.l-2009  2006  CMMI-Dev  CMMI-Svc  4.1  Handbook  2005(E)  2008(E)  2005(E)  2008(E)  2009(E)  1600  2009 

FRM:SG2  Perform  Financial 
Planning 


FRM:SG2.SP1  Define  PP:SP1.4  P05.4  6.4.2 

Funding  Needs 

Subpractices 

1.  Collect  historical  data 
that  will  be  used  as  the 
basis  for  developing 
funding  requirements. 

2.  Determine  and  document 
resilience  funding 
requirements. 

3.  Validate  funding  assump¬ 
tions  through  detailed 
analysis  of  resilience  re¬ 
quirements. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 

Process  Area  Specific  iso/iec  iso/iec  iso/iec  iso/iec  iso/iec 

Goals  and  Specific  ANSI/ASIS  BS25999-1:  COBIT  FFIEC  BCP  20000-2:  24762:  27002:  27005:  31000:  NFPA  PCI: 

Practices  SPC.l-2009  2006  CMMI-Dev  CMMI-Svc  4.1  Handbook  2005(E)  2008(E)  2005(E)  2008(E)  2009(E)  1600  2009 

FRM:SG2.SP2  Establish  PP:SP2.1  P05.3  6.4.2  4.4 

Resilience  Budgets  6  4  3 

Subpractices 

1.  Determine  the  budgets 
available  for  the 
resilience  program. 

2.  Establish  a  budgeting 
methodology  and  process 
for  resilience. 

3.  Develop  the  operational- 
level  resilience  budgets. 

4.  Develop  the  enterprise- 
level  resilience  budgets. 

5.  Assign  authority  and 
accountability  for 
developing  and  managing 
the  budgets. 

6.  Review  budgets  on  a 
regular  basis  and  update 
as  necessary. 

7.  Tie  performance 
measures  to  the 
resilience  budgets. 
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CERT®  Resilience 
Management  Model 
vl.l 


Commercial  Standards  and  Practices 


Process  Area  Specific 

Goals  and  Specific  ansi/asis  BS25999-1: 

Practices  spc.1-2009  2006 


CMMI-Dev 


CMMI-Svc 


ISO/I  EC  ISO/IEC  ISO/IEC 

COBIT  FFIEC  BCP  20000-2:  24762:  27002: 

4.1  Handbook  2005(E)  2008(E)  2005(E) 


ISO/IEC  ISO/IEC 

27005:  31000:  NFPA  PCI: 

2008(E)  2009(E)  1600  2009 


FRM:SG2.SP3  Resolve 

Funding  Gaps 

Subpractices 

1.  Perform  gap  analysis 
between  resilience 
funding  needs  and 
established  budgets. 

2.  Identify  budget  shortfalls. 

3.  Identify  risks  related  to 
budget  shortfalls. 

4.  Develop  and  document 
decisions  to  resolve 
potential  issues, 
concerns,  and  risks  that 
result  from  funding  gaps. 


P05.3 


6.4.3 


FRM:SG3  Fund  Resilience 
Activities 


FRM:SG3.SP1  Fund  Resili¬ 
ence  Activities 

Subpractices 

1.  Develop  policies  and 
procedures  for  accessing 
resilience-budgeted 
funds. 

2.  Develop  a  process  for 
addressing  off-cycle  or 
off-budget  funds  requests 
and  approvals. 


6.4.3 


4.4 

4.7 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

FRM:SG4  Account  for 
Resilience  Activities 


FRM:SG4.SP1  Track  and 
Document  Costs 

Subpractices 

1.  Develop  and  implement  a 
means  for  collecting  and 
tracking  costs. 

2.  Collect  financial  data  on 
the  costs  related  to 
providing  resilience 
services. 

3.  Calculate  variances 
between  budgeted  costs 
and  actual  costs. 

4.  Identify  and  document 
major  budget  variances. 

5.  Analyze  budgets  on  a 
regular  basis  to 
determine  potential 
period  shortfalls  or 
unspent  items. 

6.  Revise  budgets  based  on 

actual  data  if  necessary. 


DS6.2  4.1.4 

DS6.4  6.4.2 

P05.4  6.4.3 

6.4.4 


4.4 

4.7.5 
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Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

FRM:SG4.SP2  Perform  Cost 

DS6.3 

4.1.4 

and  Performance  Analysis 

DS6.4 

6.4.2 

Subpractices 

P05.4 

6.4.3 

l.  Perform  analysis  on 

budget  variances  and 
document  explanations 
for  the  variances. 

2.  Develop  plans  for 

reducing  or  eliminating 
variances. 

3.  Calculate  the  true  cost  of 

providing  resilience 
services  (COR). 

4.  Report  financial 

exceptions. 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

FRM:SG5  Optimize 

Resilience  Expenditures  and 

Investments 

FRM:SG5.SP1  Optimize 

Resilience  Expenditures 

Subpractices 

1.  Establish  scope  of 
optimization  calculations 
and  examination. 

2.  Perform  optimization 
calculations  on  high-value 
assets  and/or  services. 

3.  Identify  opportunities  for 
optimization. 

4.  Revise  strategies  to 
provide  optimal 
operational  resilience. 


P05.4  6.4.4 

P05.5 
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vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 

ISO/I  EC  ISO/IEC  ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT  FFIEC  BCP  20000-2:  24762:  27002: 

27005: 

31000:  NFPA  PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev  CMMI-Svc 

4.1  Handbook  2005(E)  2008(E)  2005(E) 

2008  (E) 

2009  (E)  1600  2009 

FRM:SG5.SP2  Determine 

P05.5  BCP  Pr0‘  6.4.4 

5.5 

cess 


Return  on  Resilience 
Investments 

Subpractices 

1.  Establish  and  collect 
objective  and 
quantifiable  variables  to 
include  in  the  RORI 
calculation. 

2.  Establish  the  scope  of  the 
calculation. 

3.  Perform  the  RORI 
calculation. 

4.  Analyze  results  of  RORI 
calculation. 

5.  Develop  and  implement 
strategies  to  improve 
RORI. 
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Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 

ISO/I  EC  ISO/IEC  ISO/IEC  ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT  FFIEC  BCP  20000-2:  24762:  27002:  27005: 

31000:  NFPA  PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev  CMMI-Svc 

4.1  Handbook  2005(E)  2008(E)  2005(E)  2008(E) 

2009  (E)  1600  2009 

FRM:SG5.SP3  Identify  Cost 

P05.5 

Recovery  Opportunities 
Subpractices 

1.  Determine  areas  where 
resilience  costs  can  be 
assigned  to  and  included 
in  the  production  costs 
for  services  and  products. 

2.  Determine  appropriate 
level  of  resilience  cost 
charge-backs. 

3.  Include  resilience  costs  in 
the  determination  of 
standard  costs  for 
services  and  products. 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

HRM  -  Human  Resource  Management 

HRM:SG1  Establish 

Resource  Needs 

HRM:SG1.SP1  Establish 

Baseline  Competencies 

P04.12 

P07.1 

3.3.1 

8.3 

8.1.1 

Subpractices 

1.  Establish  and  document 
baseline  competencies 
necessary  to  meet  the 
needs  of  the 
organization's 
operational  resilience 
management  system. 

2.  Create  or  update  job 
descriptions  to  reflect 
base  competencies. 

P07.2 
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Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

HRM:SG1.SP2  Inventory 

P04.12 

3.3.1 

8.2.1 

Skills  and  Identify  Gaps 

P07.2 

3.3.2 

Subpractices 

P07.3 

3.3.3 

l.  Develop  a  skills 

inventory,  particularly 
relevant  to  resilience 

skills. 

2.  Compare  baseline 

competencies  to  the 
current  skills  inventory. 

3.  Identify  skill  gaps  and 

deficiencies. 

4.  Develop  processes  to 

keep  the  skills  inventory 
current  and  for 
performing  regular 
comparison  to  baseline 
competencies. 
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vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

HRM:SG1.SP3  Address 

PP:SP2.5 

P07.2 

3.3.1 

8.2.1 

Skill  Deficiencies 

P07.3 

3.3.2 

Subpractices 

P07.4 

3.3.3 

l.  Develop  strategy  for 

addressing  skill  gaps. 

2.  Update  job  descriptions 

to  incorporate  missing 
skills  as  necessary. 

3.  Develop  job  requisitions 

for  unfilled  positions. 

4.  Develop  training  plans  for 

skills  that  can  be 
obtained  by  existing  staff. 

5.  Refer  resulting  risks  to 

the  risk  management 
process  for  disposition. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

HRM-.SG2  Manage  Staff 

Acquisition 

HRM:SG2.SP1  Verify 

Suitability  of  Candidate 

Staff 

Subpractices 

1.  Establish  baseline 
verification  criteria  that 
apply  to  all  positions  in 
the  organization. 

2.  Establish  job-specific 
verification  criteria  that 
apply  to  vital  positions. 

3.  Establish  verification  8.3 

program  and  procedures. 

4.  Review  and  revise 
verification  criteria  and 
program  as  required. 


5.6.6 

5.9.1 

6.3.2 

6.3.4 
6.3.9 

6.14.4 
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CERT®  Resilience 
Management  Model 
vl.l 


Commercial  Standards  and  Practices 


Process  Area  Specific 
Goals  and  Specific 
Practices 


ANSI/ASIS  BS25999-1: 

SPC.1-2009  2006 


CMMI-Dev  CMMI-Svc 


ISO/I  EC 

COBIT  FFIEC  BCP  20000-2: 

4.1  Handbook  2005(E) 


ISO/IEC  ISO/IEC 

24762:  27002: 

2008  (E)  2005  (E) 


ISO/IEC  ISO/IEC 

27005:  31000:  NFPA  PCI: 

2008(E)  2009(E)  1600  2009 


HRM:SG2.SP2  Establish 

Terms  and  Conditions  of 

Employment 

Subpractices 

1.  Establish  baseline  terms 
and  conditions  of 
employment  that  apply 
to  all  positions  in  the 
organization. 

2.  Ensure  that  terms  and 
conditions  are  clearly 
documented  in  job 
descriptions. 

3.  Execute  agreements  as 
necessary  to  enforce 
employment  terms  and 
conditions. 


P04.14 

P07.3 


5.5.5 

5.6.6 


8.1.1 

8.1.2 

8.1.3 
8.2.1 
9.2.7 

11.2.3 

11.3.1 

15.1.2 


CMU/SEI-201 1-TN-012  |  89 


cert®  Resilience  Commercial  Standards  and  Practices 


Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

HRM:SG3  Manage  Staff 

Performance 

HRM:SG3.SP1  Establish 

Resilience  as  a  Job 

Responsibility 

Subpractices 

1.  Insert  resilience 
obligations  into  job 
descriptions. 

2.  Ensure  that  job 
descriptions  and 
resilience  requirements 
are  communicated  to 
candidate  staff  prior  to 
employment. 


P04.14  Board  and  3  3 A  6.3.4  6.1.3 

Senior 

Manage-  8  11 

ment  Re¬ 
sponsibility  8  2  1 

11.2.3 

11.3.1 

13.1.2 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

HRM:SG3.SP2  Establish  6.3.9  6.1.3 

Resilience  Performance  8  2  1 

Goals  and  Objectives 

11.2.3 

Subpractices 

11.3.1 

1.  Review  resilience 

obligations,  roles,  and  13  1  2 

responsibilities  of  the 

position  as  the  basis  for 

establishing  resilience 

goals  and  objectives. 

2.  Formalize  and  establish 
resilience  goals  and 
objectives  in  writing. 

3.  Ensure  that  the  staff 
members  understand 
resilience  goals  and 
objectives. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

HRM:SG3.SP3  Measure  and 

P07.7 

3.3.1 

7.5.8 

Assess  Performance 

3.3.3 

Subpractices 


1.  Measure  performance 
against  resilience  goals 
and  objectives. 

2.  Conduct  performance 
evaluations. 

3.  Acknowledge 
performance 
achievements  as 
appropriate. 

4.  Identify  improvement 
opportunities  and  take 
corrective  actions  as 
necessary. 

5.  Revise  goals  and 
objectives  as  needed. 


HRM:SG3.SP4  Establish 

Disciplinary  Process 

Subpractices 

1.  Establish  an  investigation 
process. 

2.  Establish  a  disciplinary 
process. 

3.  Revise  the  disciplinary 
process  as  needed. 


8.2.3 

15.2.1 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 

ISO/I  EC  ISO/IEC  ISO/IEC 

ISO/IEC  ISO/IEC 

Goals  and  Specific  ansi/asis 

BS25999-1: 

COBIT 

FFIEC  BCP  20000-2:  24762:  27002: 

27005:  31000:  NFPA  PCI: 

Practices  spc.1-2009 

2006 

CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005(E)  2008(E)  2005(E) 

2008(E)  2009(E)  1600  2009 

HRM:SG4  Manage  Changes 

to  Employment  Status 

HRM:SG4.SP1  Manage  P07.8  3.3.2  5.6.6  8.3.1 

Impact  of  Position  Changes  6  3  4  15  1 

Subpractices 

1.  Establish  and  execute  an 
exit  interview  process. 

2.  Develop  a  plan  for 
reassignment  of  roles  and 
responsibilities. 

3.  Reassign  resilience  roles 
and  functions  upon  a 
staff  member's  departure 
from  a  position. 

4.  Review  and  confirm 
understanding  of 
confidentiality 
agreements  and  obtain 
assurances  for 
compliance. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

HRM:SG4.SP2  Manage 

P07.8 

6.3.4 

8.3.2 

Access  to  Assets 

8.3.3 

Subpractices 

15.1.2 

l.  Secure  the  return  of  all 

organizational  assets, 
property,  and 
information  upon  a  staff 
member's  departure. 

2.  Inventory  all 

organizational  assets, 
property,  and 
information  in  possession 
of  staff  upon  position 
changes,  and  make 
necessary  adjustments. 

3.  Discontinue  all  access  to 

organizational  assets 
upon  termination  or 
position  changes. 

HRM:SG4.SP3  Manage 

P07.8 

3.3.2 

6.3.4 

8.3.1 

Involuntary  Terminations 

8.3.3 

Subpractices 

1.  Establish  criteria  for 

determining  potential 
risks  related  to 
involuntary  terminations. 

2.  Establish  procedures  for 

managing  involuntary 
terminations. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific  ansi/asis 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices  spc.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

ID  -  Identity  Management 

ID:SG1  Establish  Identities 

ID:SG1.SP1  Create 

DS5.3 

6.4.8 

5.7.1 

10.9.1 

Identities 

6.3.2 

11.1.1 

Subpractices 

11.2.1,2 

1.  Establish  an  identity 

profile  for  persons, 
objects,  and  entities. 

11.5.2,4 

11.6.1 

ID:SG1.SP2  Establish 

DS5.3 

5.7.1 

10.9.1 

Identity  Community 

6.3.2 

11.2.1,2 

Subpractices 

6.4.8 

11.2.3 

l.  Create  and  maintain  an 

identity  repository. 

11.3.1 

2.  Deposit  identity  profiles 
as  they  are  created  into 
the  identity  repository. 

3.  Establish  access  controls 
to  ensure  protection  over 
identity  information. 

11.4.1.2.3 

11.5.4 

12.4.3 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

ID:SG1.SP3  Assign  Roles  to 

Identities 

DS5.3 

6.3.2 

6.4.8 

10.9.1 

11.2.1 

Subpractices 

1.  Develop,  authorize,  and 
justify  roles. 

2.  Assign  roles  to  identities. 

11.2.2 

11.5.4 

ID:SG2  Manage  Identities 

ID:SG2.SP1  Monitor  and 

Manage  Identity  Changes 

6.3.4 

11.2.1 

Subpractices 

1.  Establish  organizational 
criteria  that  may  signify 
changes  in  the  identity 
community. 

2.  Monitor  for  and  manage 
changes  to  identity 
community. 
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cert®  Resilience  Commercial  Standards  and  Practices 


Management  Model 
vl.l 


Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

ID:SG2.SP2  Periodically 

DS5.4 

6.3.4 

11.2.1 

Review  and  Maintain 

Identities 

Subpractices 

1.  Establish  regular  review 
cycle  and  process. 

2.  Perform  review  of 
identity  community. 

3.  Identify  inconsistencies  in 
the  identity  community. 


ID:SG2.SP3  Correct  DS5.4  6.3.4  11.2.1 

Inconsistencies  112  4 

Subpractices 

1.  Develop  corrective 
actions  to  address 
inconsistencies  in  identity 
profiles. 

2.  Correct  identity  profiles 
as  required. 

3.  Document  disposition  for 
inconsistencies  that  will 
not  result  in  changes  or 
corrections. 

4.  Update  status  on 
corrective  actions. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

ID:SG2.SP4  Deprovision 

DS5.3 

6.3.4 

11.2.1 

Identities 

DS5.4 

11.2.4 

Subpractices 

P07.8 

l.  Obtain  written  approval 

from  line  of  business  and 
organizational  unit 
managers,  asset  owners, 
and  human  resources 
staff  for  deprovisioning 
identities. 

2.  Identify  and  trace  access 

privileges  associated  with 
the  identity's  roles. 

3.  Deprovision  identities  as 

required. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC  -  Incident  Management  and  Control 

IMC:SG1  Establish  the 

Incident  Management  and 

Control  Process 

IMC:SG1.SP1  Plan  for 

4.4.7 

5.5 

IRP:SP1.1 

PO10.9 

Risk  Man¬ 
agement 

6.6.6 

5.3.4 

5.1.1 

Incident  Management 

7.8 

IRP:SP1.2 

Other 

8.2.1 

5.7.5 

5.2 

Subpractices 

7.9 

Policies, 

Standards, 

6.10.5 

5.7.1 

l.  Establish  the  incident 

and  Pro- 

management  plan 

8.2 

cesses 

6.4.2 

content. 

8.3 

Appendix 

6.9.1 

2.  Establish  commitments 

D:  Pandem- 

to  the  plan. 

8.4 

ic  Planning 

3.  Revise  the  plan  and 

commitments  as 

8.5 

necessary. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG1.SP2  Assign  Staff  to 

7.8 

IRP:SP1.1 

Other 

Policies, 

6.1.2 

5.3.4 

5.2.2 

the  Incident  Management 

Plan 

8.3.3 

IRP:SP1.2 

Standards, 
and  Pro- 

5.2.3 

8.3.5 

cesses 

5.2.4 

Subpractices 

8.3.6 

5.2.5 

l.  Develop  detailed  job 

descriptions  for  each 
role/responsibility 
detailed  in  the  incident 
management  plan. 

8.4 

8.5.2 

6.5.1 

6.9.2 

2.  Establish  a  list  of 

8.5.3 

candidate  and  skilled 
staff  to  fill  each 

8.5.4 

role/responsibility  in  the 
incident  management 
plan. 

8.5.5 

3.  Assign  staff  to  incident 

8.5.6 

management  roles  and 
responsibilities. 

4.  Ensure  that 

organizational  training  is 
provided  to  incident  staff 
respective  to  their 
specific  incident 
management  job 
responsibilities. 

CMU/SEI-201 1-TN-012  |  100 


CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Elandbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG2  Detect  Events 

IMC:SG2.SP1  Detect  and 

IRP:SP2.1 

DS8.1 

6.6.6 

5.7.5 

6.2.2 

6.4.2 

Report  Events 

DS10.1 

8.1.2 

6.3.11 

10.4.1 

Subpractices 

P09.3 

8.2.1 

6.4.6 

10.10.1 

1.  Define  the  methods  of 

event  detection  and 
reporting. 

8.3.2 

10.10.2 

2.  Develop  and 

12.5.4 

communicate 
descriptions  of  event 

13.1.1 

detection  and  reporting 
roles  and  responsibilities. 

13.2.1 

3.  Assign  the  roles  of  event 

detection  and  reporting 
to  appropriate  staff 
throughout  the 
organization. 

4.  Establish  a  process  for 

event  reporting. 

Document  events  as  they 
are  detected  on  an  event 
report. 

5.  Submit  event  reports  to 

appropriate  management 
staff  per  the 
organization's  event 
reporting  process. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG2.SP1  Detect  and 
Report  Events 


Subpractices  (continued) 

6.  Provide  training  and 

awareness  for  managers 
and  users  of  technology 
assets  (systems, 
networks,  etc.)  to  identify 
anomalies  and  to  report 
these  anomalies  to  the 
service  desk  or  other 
authorized  source  for 
investigation  and 
resolution. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG2.SP2  Log  and  Track 

IRP:SP2.1 

DS8.1 

8.1.2 

5.7.5. 1 

10.10.1 

Events 

DS8.2 

8.2.1 

10.10.2 

Subpractices 

DS10.2 

8.3.2 

10.10.5 

1.  Develop  and  implement 

an  incident  management 

12.5.4 

knowledgebase  that 
allows  for  the  entry  of 

13.1.1 

event  reports  (and  the 
tracking  of  declared 
incidents)  through  all 

13.2.1 

phases  of  their  life  cycle. 

2.  Enter  event  reports  to 
the  incident  management 
knowledgebase  as  they 
are  received. 

3.  Establish  and  distribute 
standard  reports  that 
provide  status 
information  on  events  as 
they  move  through  the 
life  cycle. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG2.SP3  Collect,  Doc¬ 
ument,  and  Preserve  Event 
Evidence 

Subpractices 

1.  Identify  relevant  rules, 
laws,  regulations,  and 
policies  for  which 
incident  evidence  may  be 
required. 

2.  Develop  and 
communicate  consistent 
guidelines  and  standards 
for  collection, 
documentation,  and 
preservation  of  evidence 
for  events/incidents. 

3.  Document  events  and 
related  evidence 
information  in  the 
incident  management 
knowledgebase  where 
practical. 


IRP:SP2.1  5.7.5. 1  13.1.1 

13.2.1 

13.2.3 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG2.SP4  Analyze  and 

IRP:SP2.2 

Risk 

Assessment 

5.7.5. 1 

Triage  Events 


Subpractices 

1.  Assign  a  category  to 
events  from  standard 
category  definitions. 

2.  Perform  correlation 
analysis  on  event  reports 
to  determine  if  there  is 
affinity  between  two  or 
more  events. 

3.  Prioritize  events. 

4.  Assign  a  disposition  to 
events. 

5.  Escalate  events  if  they 
require  additional 
analysis. 

6.  Update  the 
knowledgebase  with 
information  gathered  in 
the  triage  process  and 
the  event  disposition. 

7.  Assign  events  that  have 
not  been  assigned  a 
"closed"  status  for 
further  analysis  and 
resolution. 

8.  Periodically  review  the 
incident  knowledgebase 
for  events  that  have  not 
been  closed  for  which 
there  is  no  disposition. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 


vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG3  Declare  Incidents 


IMC:SG3.SP1  Define  and  8.3.4 

Maintain  Incident 
Declaration  Criteria 

Subpractices 

1.  Establish  incident 
declaration  criteria  for 
use  in  guiding  when  to 
declare  an  incident. 

2.  Distribute  incident 
declaration  criteria  to  all 
sources  and  relevant  staff 
who  may  need  to  declare 
an  incident. 

3.  Update  incident 
declaration  criteria  as 
required  based  on 
experience  in  past 
declarations. 


DS5.6 


Risk  Man¬ 
agement 


DS101  Other 
Policies, 
Standards, 
and  Pro¬ 
cesses 


5.1.3 

5.4.2 

6.9.5 
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cert®  Resilience  Commercial  Standards  and  Practices 


Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG3.SP2  Analyze  IRP-SP2  2  Risk  Man- 

Incidents  '  agement 

IRP:SP3.1 

Subpractices 

1.  Establish  and 
communicate  a 
standardized  and 
consistent  incident 
analysis  approach  and 
structure. 

2.  Identify  relevant  analysis 
tools,  techniques,  and 
activities  that  the 
organization  will  use  to 
analyze  incidents  and 
develop  an  appropriate 
response. 

3.  Analyze  open  event 
reports  and  previously 
declared  incidents. 

4.  Document  analysis  on  an 
incident  analysis  report. 


8.1.2  5.7.5. 1  13.2.2 

8.2.1 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG4  Respond  to  and 
Recover  from  Incidents 


IMC:SG4.SP1  Escalate 
Incidents 

Subpractices 

1.  Develop  incident 
escalation  criteria. 

2.  Develop  incident 
escalation  procedures. 

3.  Communicate  incident 
escalation  criteria  and 
procedures  to  those  who 
have  responsibility  for 
identifying  and  escalating 
incidents. 

4.  Escalate  incidents  to 

appropriate  stakeholders 
for  resolution. 


DS8.3 

Risk  Man¬ 
agement 

8.2.1 

5.7.5. 1 

6.1.6 

6.3.9 

13.1.1 

13.2.1 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG4.SP2  Develop 

8.2 

IRP:SP2.3 

DS8.3 

Risk  Man- 

6.1.2 

5.7.5. 1 

6.1.6 

5.7.1 

agement 

Incident  Response 

8.3 

IRP:SP2.4 

DS3.4 

8.1.2 

5.8.1 

13.1.1 

6.4.2 

Subpractices 

8.4 

IRP:SP2.6 

8.2.1 

5.8.2 

13.2.1 

6.4.3 

l.  Develop  an  incident 

response  strategy  and 
plan  to  limit  incident 
effect  and  to  repair 
incident  damage. 

IRP:SP3.2 

8.2.2 

6.4.5 

2.  Identify  staff  who  are 

responsible  for 
coordinating  incident 
response  (across  all 
potential  types  of 
incidents)  and  ensure 
they  have  the  authority 
and  responsibility  to  act. 

3.  Update  the  incident 

knowledgebase  with 
information  about  the 
incident  response 
strategy  and  plan. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG4.SP3  Communicate 

Incidents 

7.9 

8.5.5 

DS5.6 

DS8.3 

Risk  Man¬ 
agement 

8.2.1 

6.3.11 

13.1.1 

13.2.1 

Subpractices 

8.5.6 

l.  Identify  relevant 

stakeholders  that  may 
have  a  vested  interest  or 

vital  role  in 

communications  about 
an  organizational 
incident. 

2.  Identify  the  appropriate 

communications 
protocols  and  channels 
(media  and  message)  for 
each  type  of  stakeholder. 

3.  Develop  and  implement 

an  organizational  incident 
management 
communications  plan. 

4.  Identify  and  obtain 

commitment  from  staff 
who  are  required  to  carry 
out  the  incident 
communications  plan. 

5.  Identify  and  train  staff 

resources  responsible  for 
incident  communication 
and  provide  general 
guidelines  for  incident 
response  and  other 
personnel  for  appropriate 
communication  of 
incident  information. 
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Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG4.SP4  Close 
Incidents 

Subpractices 

1.  Establish  criteria  for 
incident  closure. 

2.  Define  and  assign 
responsibility  for  incident 
closure. 

3.  Update  the 
knowledgebase  to 
indicate  that  an  incident 
has  been  closed. 

4.  Track  incidents  that  have 
been  open  for  an 
extended  period  of  time 
without  closure  and 
resolve. 


IRP:SP2.5 

DS8.4 

Risk  Man¬ 
agement 

8.1. 

DS10.3 

8.2, 

DS10.4 
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vl.l 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG5  Establish  Incident 

Learning 

IMC:SG5.SP1  Perform  Post- 

Incident  Review 

DS8.5 

DS10.2 

Risk  Man¬ 
agement 

8.1.2 

8.2.1 

5.7.5. 1 

13.2.2 

6.4.5 

8.1 

Subpractices 

8.2.2 

1.  Establish  and  implement 

a  formal  post-incident 
response  activity  and 
require  it  as  part  of 
closing  an  incident. 

8.3.1 

8.3.8 

2.  Assign  responsibility  for 

post-incident  review 
activities  to  appropriate 
personnel  and  ensure 
they  are  properly  trained. 

8.3.9 

3.  Identify  root-cause 

analysis  tools  and 
techniques  and  ensure  all 
personnel  who 
participate  in  analysis  are 
trained  in  their  use. 

4.  Prepare  a  post-incident 

analysis  report. 

5.  Document  the  results  of 

post-incident  root  cause 
analysis  in  the 
knowledgebase  so  that 
this  information  is 
available  for  use  in  other 
processes  (e.g.  problem 
management). 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG5.SP2  Integrate  with 
the  Problem  Management 
Process 

Subpractices 

1.  Establish  a  problem 
management  system  to 
ensure  that  all 
operational  events  that 
are  not  part  of  standard 
operation  (incidents, 
problems,  and  errors)  are 
recorded,  analyzed,  and 
resolved  in  a  timely 
manner. 

2.  Document  problem 
reports  that  arise  from 
incident  management 
and  deliver  these  reports 
to  the  problem 
management  process. 

3.  Periodically  review 
problem  reports  and 
their  status  to  determine 
their  impact  on  future 
incident  detection  and 
analysis. 

4.  Update  the  incident 
knowledgebase  with 
information  gathered  in 
the  problem 
management  process. 


DS8.5 

Risk  Man¬ 
agement 

8.1.2 

DS10.1 

Other 

8.2.1 

DS10.4 

Policies, 

Standards, 

8.3.1 

and  Pro¬ 
cesses 

8.3.2 

8.3.8 

5. 7. 5. 2 


8.3.9 


13.2.2 


6.4.5 
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Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG5.SP3  Translate 

Experience  to  Strategy 

9.5.1 

9.5.2 

Risk  As¬ 
sessment 

8.2.2 

8.3.1 

5.7.5 

6.1.2 

13.2.2 

8.2 

Subpractices 

9.5.3 

1.  Review  knowledgebase 

information  and  update 
the  following  areas 
accordingly: 

9.5.4 

9.5.5 

•  Protection  strategies  and 
controls  for  assets 
involved  in  the  incident 

9.5.6 

•  Continuity  plans  and 
sustainability  strategies 
for  assets  involved  in  the 

incident 

•  Information  security  and 
other  organizational 
policies  that  need  to 
reflect  new  standards, 
procedures,  and 
guidelines  based  on  what 
is  learned  in  the  incident 
handling 

•  Training  for  personnel  on 
information  security, 
business  continuity,  and 

IT  operations 

2.  Review  incident 

management  and  control 
processes  and  update  for 
any  perceived 
deficiencies  or  omissions. 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

IMC:SG5.SP3  Translate 


Experience  to  Strategy 

Subpractices  (continued) 

3.  Update  resilience 
requirements  for  assets 
and  services  based  on 
what  is  learned  in  the 
incident  management 
process. 

4.  Quantify  and  monitor  the 
types,  volumes,  and  costs 
of  incidents. 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009  2006  CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

KIM  -  Knowledge  and  Information  Management 


KIM:SG1  Establish  and 

Prioritize  Information  Assets 

KIM:SG1.SP1  Prioritize  6.4  6.6.2  7.2.1 

Information  Assets  , 

/.b 

Subpractices 

1.  Compile  a  list  of  high- 
value  information  assets 
from  the  organization's 
information  asset 
inventory. 

2.  Periodically  validate  and 
update  the  list  of  high- 
value  information  assets 
based  on  operational  and 
organizational 
environment  changes. 
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Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

KIM:SG1.SP2  Categorize 

Information  Assets 

Subpractices 

1.  Develop  an  information 
asset  categorization 
scheme. 

2.  Assign  responsibility  for 
the  assignment  of 
sensitivity  categorization 
levels  to  information 
assets. 

3.  Assign  sensitivity 
categorization  levels  to 
information  assets. 

4.  Establish  policies  for 
proper  handling  of 
information  assets 
according  to  the 
sensitivity  categorization 
scheme. 

5.  Establish  policies  and 
procedure  for  proper 
labeling  of  each  category 
of  information  asset. 


P02.3  6.6.2  7.2.1  4.8.2 

P04.9  7.2.2 

10.7.3 

10.10.3 
15.1.2 

15.3.1 

15.3.2 
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vl.l 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

KIM:SG2  Protect 

Information  Assets 

KIM:SG2.SP1  Assign  Resili- 

6.4 

P02.4 

Appendix 

G:  BCP 

5.3.3 

6.2.2 

4.4 

ence  Requirements  to  In- 

7.6 

DS4.8 

Compo- 

5.7.1 

7.1.3 

5.5.4 

formation  Assets 

DS5.7 

5.7.4 

10.7.4 

Subpractices 

DS5.11 

6.4.11 

10.8.1 

1.  Assign  resilience 

requirements  to  high- 
value  information  assets. 

DS11.1 

6.4.12 

10.9.2 

2.  Document  the 

DS11.6 

6.4.14 

12.3.1 

requirements  (if  they  are 
currently  not 
documented)  and  include 
in  the  asset  definition. 

DS13.4 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

KIM:SG2.SP2  Establish  and 

P02.4 

5.7.1 

6.1.5 

Implement  Controls 

DS5.7 

5.7.4 

6.2.2 

Subpractices 

DS11.1 

6.3.3 

7.1.3 

l.  Establish  and  implement 

administrative  controls 

DS11.6 

6.3.5 

9.2.5, 7 

for  information  assets. 

2.  Establish  and  implement 

DS13.4 

6.3.6 

10.1.1,3,4 

technical  controls  for 
information  assets. 

6.3.7 

10.4.1,2 

3.  Establish  and  implement 

6.4.11 

10.6.1,2 

physical  controls  for 
information  assets. 

6.4.12 

10.7,8 

4.  Monitor  the  effectiveness 

of  administrative. 

6.4.14 

10.9.2,3 

technical,  and  physical 
controls,  and  identify 
deficiencies  that  must  be 

10.10.1,2 

resolved. 

10.10.3,6 

11.2-11.7 

12.2 

12.4.1,2,3 

12.5.1,2,4 

15.1.3,4,5 

CMU/SEI-201 1-TN-012  |  119 
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Management  Model 
vl.l 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

KIM:SG3  Manage 

Information  Asset  Risk 

KIM:SG3.SP1  Identify  and 

7.3 

PP:SP2.2 

P09.1 

Risk  Man- 

10.10.2 

5.6.1 

Assess  Information  Asset 

P09.4 

agement 

11.2-7 

5.6.2 

Risk 

12.2.3  5.6.3 

Subpractices 

15.1.3 

1.  Determine  the  scope  of 
the  risk  assessment  for 
information  assets. 

2.  Identify  risks  to 
information  assets. 

3.  Analyze  risks  to 
information  assets. 

4.  Categorize  and  prioritize 
risks  to  information 
assets. 

5.  Assign  a  risk  disposition 
to  each  information  asset 
risk. 

6.  Monitor  the  risk  and  the 
risk  strategy  on  a  regular 
basis  to  ensure  that  it 
does  not  pose  additional 
threat  to  the 
organization. 

7.  Develop  a  strategy  for 
those  risks  that  the 
organization  decides  to 
mitigate. 
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Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

KIM:SG3.SP2  Mitigate  7.3 

Information  Asset  Risk 

Subpractices 

1.  Develop  and  implement 
risk  mitigation  strategies 
for  all  risks  that  have  a 
"mitigation"  or  "control" 
disposition. 

2.  Validate  the  risk 
mitigation  plans  by 
comparing  them  to 
existing  protection  and 
sustainability  strategies. 

3.  Identify  the  person  or 
group  responsible  for 
each  risk  mitigation  plan 
and  ensure  that  they 
have  the  authority  to  act 
and  the  proper  level  of 
skills  and  training  to 
implement  and  monitor 
the  plan. 

4.  Address  residual  risk. 

5.  Implement  the  risk 
mitigation  plans  and 
provide  a  method  to 
monitor  the  effectiveness 
of  these  plans. 

6.  Monitor  risks  status. 

7.  Collect  performance 
measures  on  the  risk 
management  process. 


P09.4  Risk  Man-  6.4.11  11.2-7 

agement 

P09.5  6.4.12  12.2.3 

6.4.14  15.1.3 


5.6.1 

5.6.2 

5.6.3 
5.7 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

KIM:SG4  Manage 

Information  Asset 

Confidentiality  and  Privacy 

KIM:SG4.SP1  Encrypt  High- 

Value  Information 

DS5.8 

DS5.11 

5.7.2 

5.7.4 

6.1.5 

10.6.1 

Subpractices 

10.7.4 

1.  Establish  an 

organizational  policy  and 

10.8.1 

program  addressing  the 
proper  use  of  encryption 

10.8.2 

and  cryptographic  means 
for  protecting 
information  assets. 

10.8.4 

2.  Establish  a  list  of 

10.9.2 

acceptable  cryptographic 
technologies  preferred  by 

12.2.3 

the  organization. 

12.3 

3.  Encrypt  information 

assets  based  on  policy 
and  information  asset 

15.1.4 

categorization. 

15.1.6 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

KIM:SG4.SP2  Control  Ac- 

DS5.10 

5.7.2 

6.1.5 

4.8.2 

cess  to  Information 

DS5.11 

5.7.4 

10.1.4 

Assets 

7.4.3 

10.6.1 

10.7.4 

10.8.4,5 

Subpractices 

l.  Identify  the  information 

assets  to  which  access 

must  be  controlled. 

2.  Develop  and  implement 

access  controls  to  satisfy 
confidentiality  and 
privacy-related  resilience 
requirements. 

10.9.2 

10.10.1 

10.10.3 

3.  Manage  access  controls 

on  an  ongoing  basis  to 
ensure  continued 

satisfaction  of 
confidentiality  and 
privacy-related  resilience 
requirements. 

12.2.3 

15.1.3,4 

15.3.1,2 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

KIM:SG4.SP3  Control 

Information  Asset 

Disposition 

Subpractices 

1.  Develop  and  implement 
guidelines  for  the 
appropriate  disposition  of 
information  assets. 

2.  Communicate  these 
guidelines  to  all 
personnel  who  are 
responsible  for  the 
resilience  of  information 
assets. 


DS11.4 


6.4.14 


6.1.5 

9.2.6 

10.7.1 

10.7.2 

15.1.3 

15.1.4 


4.8.2 

5.8.3 
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Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

KIM:SG5  Manage 
Information  Asset  Integrity 


KIM:SG5.SP1  Control 
Modification  of  Information 
Assets 

Subpractices 

1.  Establish  organizationally 
acceptable  tools, 
techniques,  and  methods 
for  modifying  information 
assets. 

2.  Identify  and  document 
personnel  who  are 
authorized  to  modify 
information  assets, 
relative  to  the  asset's 
integrity  requirements. 

3.  Implement  tools, 
techniques,  and  methods 
to  monitor  and  log 
modification  activity  on 
high-value  information 
assets. 

4.  Perform  periodic  audits 
of  information  asset 
modification  logs  and 
identify  and  address 
anomalies. 


P02.4  5.7.4  10.1.1  4.8.2 

DS5.11  10.1.4 

DS5.10  10.7.4 

10.9.2 

10.9.3 

10.10.3 

12.2.3 

12.4.2 

12.4.3 

15.1.3 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 


vl.l 

ISO/IEC  ISO/IEC 

27005:  31000:  NFPA  PCI: 

2008(E)  2009(E)  1600  2009 

KIM:SG5.SP2  Manage  I  I  I  I  P02A  I  I  5.7.4  I  1011 

Information  Asset 

Configuration 

Subpractices 

1.  Establish  information 
asset  baseline  to  serve  as 
the  foundation  for 
information  asset  change 
control. 

2.  Develop  and  implement  15.1.3 

configuration  control 
policies,  procedures,  and 
techniques. 


10.1.4 

10.9.2 

10.9.3 

12.2.3 
12.5.2 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Flandbook 

2005  (E) 

2008  (E) 

2005  (E) 

3.  Review  configuration 

control  logs  and  identify 
anomalies. 
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Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

KIM:SG5.SP3  Verify  Validity 

P02.4 

10.1.1 

of  Information 

DS5.10 

10.9.2 

Subpractices 

DS5.11 

10.9.3 

l.  Establish  requirements 

for  the  inclusion  of  data 
validation  controls  in 

services  and  related 
systems. 

DS11.1 

12.2 

12.5.1 

2.  Perform  regular  review  of 

information  asset  output 
from  processes. 

12.5.2 

3.  Periodically  verify 

(through  monitoring  and 
auditing)  that  changes 
are  valid  and  authorized. 
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Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

KIM:SG6  Manage 

Information  Asset 

Availability 

KIM:SG6.SP1  Perform  7.3 

Information  Duplication  and 

Retention 

Subpractices 

1.  Develop  information 
asset  backup  and 
retention  procedures. 

2.  Backup  and  store 
information  assets  as 
prescribed  and  according 
to  their  availability 
requirements. 

3.  Periodically  test  the 
organization's  backup 
and  storage  procedures 
and  guidelines  to  ensure 
continued  validity  as 
operational  conditions 
change. 


P02.4 

DS4.9 

DS11.2 

DS11.3 

DS11.5 

AI7.5 


6.3.4  6.9.3  10.1.1 

10.5.1 
15.1.3 


4.8.2 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 

ISO/I  EC  ISO/IEC  ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT  FFIEC  BCP  20000-2:  24762:  27002: 

27005: 

31000:  NFPA  PCI: 

Practices 

SPC.1-2009  2006 

CMMI-Dev  CMMI-Svc 

4.1  Handbook  2005(E)  2008(E)  2005(E) 

2008  (E) 

2009  (E)  1600  2009 

KIM:SG6.SP2  Manage 

7.3 

P02.4  6.9.3  15.1.3 

4.8.2 

Organizational  Knowledge 

7.6 

P07.5  7.4.2 

Subpractices 


1.  Identify  vital  staff  who 
may  have  institutional 
knowledge. 

2.  Identify  information 
assets  that  may  be  in 
intangible  forms. 

3.  Document  information 
assets  as  necessary. 

4.  Develop  and  implement 
procedures  for  regular 
identification,  capture, 
and  revision  of 
institutional  knowledge. 
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Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009  2006  CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

MA  -  Measurement  and  Analysis 


MA:SG1  Align  Measure¬ 
ment  and  Analysis  Activities 


MA:SG1.SP1  Establish 

6.2 

MA:SP1.1 

CAM:SP1.2 

DS8.5 

Measurement  Objectives 

MA:SP1.1 

P08.6 

Subpractices 

PO10.13 

1.  Document  information 
needs  and  objectives. 


2.  Prioritize  information 
needs  and  objectives. 

3.  Document,  review,  and 
update  measurement 
objectives. 

4.  Provide  feedback  for 
refining  and  clarifying 
information  needs  and 
objectives  as  necessary. 

5.  Maintain  traceability  of 
the  measurement 
objective  to  the  identified 
information  needs  and 
objectives. 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

ISO/I  EC 

20000-2: 

ISO/IEC 

24762: 

ISO/IEC 

27002: 

ISO/IEC 

27005: 

ISO/IEC 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

MA:SG1.SP2  Specify 

6.2 

MA:SP1.2 

CAM:SP1.2 

DS8.5 

9.3.2 

4.6 

Measures 

QPM:SP2.1 

MA:SP1.2 

PO10.13 

4.3 

Subpractices 

l.  Identify  candidate 

measures  based  on 
documented 
measurement  objectives. 

QPM:SP2.1 

2.  Identify  existing 

measures  that  already 
address  the 

measurement  objectives. 

3.  Specify  operational 

definitions  for  the 

measures. 

4.  Prioritize,  review,  and 

update  measures. 

CMU/SEI-201 1-TN-012  |  131 


cert®  Resilience  Commercial  Standards  and  Practices 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

MA:SG1.SP3  Specify  Data 
Collection  and  Storage 
Procedures 

Subpractices 

1.  Identify  existing  sources 
of  data  that  are 
generated  from  current 
processes  or  transactions. 

2.  Identify  measures  for 
which  data  is  needed  but 
is  not  currently  available. 

3.  Specify  how  to  collect 
and  store  the  data  for 
each  required  measure. 

4.  Create  data  collection 
mechanisms  and  process 
guidance. 

5.  Support  automatic 
collection  of  the  data 
where  appropriate  and 
feasible. 

6.  Prioritize,  review,  and 
update  data  collection 
and  storage  procedures. 

7.  Update  measures  and 
measurement  objectives 
as  necessary. 


MA:SP1.3  CAM:SP1.2 
MA:SP1.3 
OID:SP1.2 
PPQA:SP2.2 
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Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

MA:SG1.SP4  Specify 

MA:SP1.4 

CAM:SP1.2 

P08.6 

Analysis  Procedures 

QPM:SP2.1 

MA:SP1.4 

PO10.13 

Subpractices 

OID:SP1.2 

l.  Specify  and  prioritize  the 

analyses  that  will  be 
conducted  and  the 
reports  that  will  be 
prepared. 

QPM:SP2.1 

2.  Select  appropriate  data 

analysis  methods  and 
tools. 

3.  Specify  administrative 

procedures  for  analyzing 
the  data  and 
communicating  the 
results. 

4.  Review  and  update  the 

proposed  content  and 
format  of  the  specified 
analyses  and  reports. 

5.  Update  measures  and 

measurement  objectives 
as  necessary. 

6.  Specify  criteria  for 

evaluating  the  utility  of 
the  analysis  results  and 
for  evaluating  the 
conduct  of  the 

measurement  and 
analysis  activities. 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

MA:SG2  Provide 
Measurement  Results 


MA:SG2.SP1  Collect 

Measurement  Data 

Subpractices 

1.  Obtain  the  data  for  base 
measures. 

2.  Generate  the  data  for 
derived  measures. 

3.  Perform  data  integrity 
checks  as  close  to  the 
source  of  the  data  as 
possible. 


MA:SP2.1  CAM:SP2.1  DS8.5  4.3  9.1 

CAM:SP2.2  PO10.13 
MA:SP2.1 


CMU/SEI-201 1-TN-012  |  134 


cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

MA:SG2.SP2  Analyze  MA:SP2.2 

Measurement  Data 

PQA:SP1.2 

Subpractices 

QPM:SP2.2 

1.  Conduct  initial  analyses, 
interpret  the  results,  and 
draw  preliminary 
conclusions. 

2.  Conduct  additional 
measurements  and 
analysis  as  necessary,  and 
prepare  results  for 
presentation. 

3.  Review  the  initial  results 
with  relevant 
stakeholders. 

4.  Refine  criteria  for  future 
analyses. 


CAM:SP2.1 

DS8.5 

CAM:SP2.2 

P08.6 

MA:SP2.2 

PO10.13 

OID:SP1.2 

OID:SP2.3 

PPQA:SP1.2 

QPM:SP2.2 
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Management  Model 


vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

MA:SG2.SP3  Store  Data 
and  Results 

Subpractices 

1.  Review  the  data  to 
ensure  its  completeness, 
integrity,  accuracy,  and 
currency. 

2.  Store  the  data  according 
to  the  data  storage 
procedures. 

3.  Make  the  stored  contents 
available  for  use  only  by 
appropriate  groups  and 
staff. 

4.  Prevent  the  stored 
information  from  being 
used  inappropriately. 


MA:SP2.3  MA:SP2.3  P08.6 
QPM:SP2.3  QPM:SP2.3 
QPM:SP2.4 


MA:SP2.4  P08.6 
PPQA:SP2.1 

Subpractices 

1.  Keep  relevant 
stakeholders  apprised  of 
measurement  results  on 
a  timely  basis. 

2.  Assist  relevant 
stakeholders  in 
understanding  the 
results. 


MA:SG2.SP4  Communicate 
Results 


MA:SP2.4 

PPQA:SP2.1 
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Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

MON  -  Monitoring 

MON:SGl  Establish  and 

Maintain  a  Monitoring 

Program 

M0N:SG1.SP1  Establish  a 

Monitoring  Program 

4.5.1 

PMC:SP1 

ME1.1 

ME1.2 

6.4.4 

6.4.5. 1 

5.4.2 

5.6.4 

Subpractices 

1.  Establish  the  plan  and 
scope  for  a  resilience 
monitoring  program. 

2.  Establish  commitments 
to  the  plan. 

3.  Revise  the  plan  and 
commitments  as 
necessary. 

6.14.10 

7.5.6 

M0N:SG1.SP2  Identify 

Stakeholders 

PMC:SP1 

All. 4 

ME1.1 

6.1.4 

Subpractices 

1.  Identify  stakeholders  of 
the  monitoring  process. 

2.  Develop  and  document  a 
stakeholder  involvement 
plan. 
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Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS  BS25999-1: 

SPC.1-2009  2006  CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/IEC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC  ISO/IEC 

27005:  31000: 

2008(E)  2009(E) 

NFPA  PCI: 

1600  2009 

MON:SGl.SP3  Establish 

CAM:SP2.1 

ME1.2 

BCP  Pro- 

4.3 

6.4.4 

10.10.1 

5.4.2 

Monitoring  Requirements 

CAM:SP2.2 

ME1.3 

6.2.1 

6.4.5. 2 

10.10.2 

5.6.2 

Subpractices 

PMC:SP1 

P03.3 

6.2.2 

6. 4. 5. 3 

10.10.4 

5.7.2 

1.  Establish  monitoring 

requirements  for  the 

6. 4. 5. 4 

10.10.5 

operational  resilience 

management  process. 

13.2.1 

2.  Identify  the  level  and 
type  of  monitoring 
activities  required  to 
meet  monitoring 
requirements. 


3.  Establish  parameters  for 
requirements  refresh  and 
review. 


MON:SGl.SP4  Analyze  and 

Prioritize  Monitoring 

Requirements 

Subpractices 

1.  Analyze  monitoring 
requirements. 

2.  Assign  priority  to 
monitoring  requirements. 

3.  Identify  monitoring 
requirements  that  may 
not  be  able  to  be 
satisfied. 

4.  Identify  risks  that  result 
from  unsatisfied 
requirements. 


PMC:SP1  ME1.3 


4.3 

6.2.2 
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Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

MON:SG2  Perform 

Monitoring 


M0N:SG2.SP1  Establish 
and  Maintain  Monitoring 
Infrastructure 

Subpractices 

1.  Identify  and  inventory 
existing  monitoring 
infrastructure  and 
capabilities  that  may 
address  the  program 
objectives  and 
monitoring  requirements. 


CAM:SP2.1 

ME1.4 

BCP  Pro¬ 
cess 

6.3.2 

6.4.4 

10.10.3 

CAM:SP2.2 

ME2.1 

6. 4. 5. 2 

PMC:SP1 

DS13.3 

6. 4. 5. 3 

PO10.9 

6. 4. 5. 4 

6.14.10 

7.5.6 

7.5.8 


2.  Identify  infrastructure 
needs  to  support 
accepted  requirements. 


3.  Implement  and  manage 
monitoring 
infrastructure. 
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vl.l 

Process  Area  Specific 

ISO/I  EC 

Goals  and  Specific  ansi/asis 

BS25999-1: 

COBIT  FFIEC  BCP 

20000-2: 

Practices  spc.1-2009 

2006 

CMMI-Dev 

CMMI-Svc  4.1  Handbook 

2005  (E) 

MON:SG2.SP2  Establish  PMC:SP1  AI3.2  6.3.2 

Collection  Standards  and  ^2  3 

Guidelines 

ME1.3 

Subpractices 

DS13.3 

1.  Develop  and  maintain 
standards  and 
parameters  for  collection 
of  monitoring  data. 

2.  Develop  and  maintain 
standards  and 
parameters  for  the 
handling  and  storage  of 
monitoring  data 
collected. 


ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

6.4.4 

10.6.1 

6. 4. 5. 2 

10.10.1 

6.4.53 

10.10.2 

7.5.6 

10.10.4 

10.10.5 

13.2.1 

15.3.1 

3.  Review,  refine,  and 
develop  monitoring 
operating  procedures. 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

MON:SG2.SP3  Collect  and 

Record  Information 

CAM:SP2.1 

CAM:SP2.2 

DS3.5 

DS5.5 

6.2.3 

6.4.4 

10.6.1 

5.4.2 

6.3.2 

6.14.10 

10.10 

Subpractices 

PMC:SP1 

DS13.3 

6.6.7 

7.5.6 

12.2.1 

1.  Develop  collection 

methods  and  procedures. 

ME1.2 

9.1 

12.2.2 

2.  Assign  resources  to 

ME2.1 

12.2.4 

monitoring  processes. 

3.  Monitor,  collect,  and 

ME2.2 

12.5.4 

record  data. 

P03.3 

13.2.1 

4.  Establish  and  maintain 

policies  for  proper 
handling,  labeling,  and 
information  classification 
of  data  collected  during 
monitoring  activities. 

15.3.1 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

MON:SG2.SP4  Distribute 

Information 

Subpractices 

1.  Identify  media  and 
methods  of  distribution 
based  on  requirements. 

2.  Develop  and  document 
plans,  processes,  and 
procedures  for 
distribution  of 
information  to  internal 
and  external 
stakeholders. 

3.  Develop  infrastructure  to 
meet  distribution 
requirements. 

4.  Distribute  monitoring 
information  according  to 
requirements. 


CAM:SP2.3  ME1.5  6.2.3 

PMC:SP1  6.6.7 
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vl.l 


Commercial  Standards  and  Practices 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009  2006  CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OPD  -  Organizational  Process  Definition 


OPD:SGl  Establish 
Organizational  Process 
Assets 


0PD:SG1.SP1  Establish 
Standard  Processes 

Subpractices 

1.  Decompose  each 
standard  process  into 
constituent  process 
elements  to  the  detail 
needed  to  understand 
and  describe  the  process. 

2.  Specify  the  critical 
attributes  of  each  process 
element. 

3.  Specify  the  relationships 
of  the  process  elements. 

4.  Ensure  that  the 
organization's  set  of 
standard  processes 
adheres  to  applicable 
process  policies, 
standards,  and  models. 

5.  Ensure  that  the 
organization's  set  of 
standard  processes 
satisfies  the  process 
needs  and  objectives  of 
the  organization. 


OPD:SPl.l  OPD:SPl.l 


AI3.1 

AI4.1 

AI5.1 

DS1.1 

DS13.1 

P03.1 

P03.2 

P04.1 

P06.3 

PO10.2 


Risk  Moni¬ 
toring  and 
Testing 


5.1.1 
5.3 
5.5.5 

6.4.1 
6.4.7 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

0PD:SG1.SP1  Establish 
Standard  Processes 


Subpractices  (continued) 

6.  Ensure  that  there  is 
appropriate  integration 
among  the  processes  that 
are  included  in  the 
organization's  set  of 
standard  processes. 

7.  Document  the 
organization's  set  of 
standard  processes. 

8.  Conduct  peer  reviews  on 
the  organization's  set  of 
standard  processes. 

9.  Revise  the  organization's 
set  of  standard  processes 
as  necessary. 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

0PD:SG1.SP2  Establish  OPD:SP1.2  OPD:SP1.2 

Tailoring  Criteria  and 
Guidelines 


Subpractices 

1.  Specify  the  selection 

criteria  and  procedures 
for  tailoring  the 
organization's  set  of 
standard  processes. 

2.  Specify  the  standards  for 

documenting  the  defined 
processes. 

3.  Specify  the  procedures 

for  submitting  and 
obtaining  approval  of 
waivers  from  the 
requirements  of  the 
organization's  set  of 
standard  processes. 

4.  Document  the  tailoring 
guidelines  for  the 
organization's  set  of 
standard  processes. 

5.  Conduct  peer  reviews  on 
the  tailoring  guidelines. 

6.  Revise  the  tailoring 
guidelines  as  necessary. 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

0PD:SG1.SP3  Establish  the 


OPD:SP1.3  OPD:SP1.3 


Organization's  Measure¬ 


ment  Repository 
Subpractices 


1.  Determine  the 

organization's  needs  for 
storing,  retrieving,  and 
analyzing  measurements. 


2.  Define  a  common  set  of 
process  and  product 
measures  for  the 
organization's  set  of 
standard  processes. 


3.  Design  and  implement 
the  measurement 
repository. 


4.  Specify  procedures  for 
storing,  updating,  and 
retrieving  measures. 


5.  Conduct  peer  reviews  on 
the  definitions  of  the 
common  set  of  measures 
and  procedures  for 
storing  and  retrieving 
measures. 


6.  Enter  the  specified 
measures  into  the 
repository. 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

0PD:SG1.SP3  Establish  the 
Organization's  Measure¬ 


ment  Repository 

Subpractices  (continued) 

7.  Make  the  contents  of  the 
measurement  repository 
available  for  use  by  the 
organization  and 
operating  units  as 
appropriate. 

8.  Revise  the  measurement 
repository,  common  set 
of  measures,  and 
procedures  as  the 
organization's  needs 
change. 
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Process  Area  Specific  iso/iec  iso/iec  iso/iec  iso/iec  iso/iec 

Goals  and  Specific  ANSI/ASIS  BS25999-1:  COBIT  FFIEC  BCP  20000-2:  24762:  27002:  27005:  31000:  NFPA  PCI: 

Practices  SPC.l-2009  2006  CMMI-Dev  CMMI-Svc  4.1  Handbook  2005(E)  2008(E)  2005(E)  2008(E)  2009(E)  1600  2009 

OPD:SGl.SP4  Establish  the  OPD:SP1.4  OPD:SP1.4  DS1.1 

Organization's  Process  ^ 

Asset  Library 

Subpractices 

1.  Design  and  implement 
the  organization's 
process  asset  library, 
including  the  library 
structure  and  support 
environment. 

2.  Specify  the  criteria  for 
including  items  in  the 
library. 

3.  Specify  the  procedures 
for  storing  and  retrieving 
items. 

4.  Enter  the  selected  items 
into  the  library  and 
catalog  them  for  easy 
reference  and  removal. 

5.  Make  the  items  available 
for  use  by  operating 
units. 

6.  Periodically  review  the 
use  of  each  item  and  use 
the  results  to  maintain 
the  library  contents. 

7.  Revise  the  organization's 
process  asset  library  as 
necessary 
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Management  Model 
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Process  Area  Specific  iso/iec  iso/iec  iso/iec  iso/iec  iso/iec 

Goals  and  Specific  ANSI/ASIS  BS25999-1:  COBIT  FFIEC  BCP  20000-2:  24762:  27002:  27005:  31000:  NFPA  PCI: 

Practices  SPC.l-2009  2006  CMMI-Dev  CMMI-Svc  4.1  Handbook  2005(E)  2008(E)  2005(E)  2008(E)  2009(E)  1600  2009 

OPD:SGl.SP5  Establish  OPD:SP1.5  OPD:SP1.5  P06.4 

Work  Environment 

Standards 

Subpractices 

1.  Evaluate  the 
commercially  available 
environment  standards 
appropriate  for  the 
organization. 

2.  Adopt  existing  work 
environment  standards 
and  develop  new  ones  to 
fill  gaps  based  on  the 
organization's  process 
needs  and  objectives. 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OPD:SGl.SP6  Establish 

IPM+IPPD: 

All. 4 

Rules  and  Guidelines  for 

SP3.3 

PO10.3 

Integrated  Teams  IPM+IPPD: 


Subpractices  SP3.4 

1.  Establish  and  maintain 
empowerment 
mechanisms  to  enable 
timely  decision  making. 

2.  Establish  rules  and 
guidelines  for  structuring 
and  forming  integrated 
teams. 

3.  Define  the  expectation, 
rules,  and  guidelines  that 
guide  how  integrated 
teams  work  collectively. 

4.  Maintain  the  rules  and 
guidelines  to  help  team 
members  balance  their 
team  and  home 
organizational 
responsibilities. 


OPD+IPPD: 

SP2.2 

OPD+IPPD: 

SP2.3 
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Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009  2006  CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OPF  -  Organizational  Process  Focus 


OPF:SGl  Determine  Pro¬ 
cess  Improvement  Oppor¬ 
tunities 

0PF:SG1.SP1  Establish 

Organizational  Process 

Needs 

Subpractices 

1.  Identify  policies, 
standards,  and  business 
objectives  that  are 
applicable  to  the 
organization's  processes 

2.  Examine  relevant  process 

standards  and  models  for 
best  practices. 

3.  Determine  the 
organization's  process 
performance  objectives. 

4.  Define  the  essential 
characteristics  of  the 
organization's  processes. 

5.  Document  the 
organization's  process 
needs  and  objectives. 

6.  Revise  the  organization's 
process  needs  and 
objectives  as  needed. 


4.6 
5.5.3 

ME4.3 

ME4.4 

PO10.1 

PO10.2 


OPF:SPl.l  OPF:SPl.l  All.l 
ME2.2 


9.1 

9.4.1 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 


vl.l 


Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

OPF:SGl.SP2  Appraise  the 

OPF:SP1.2 

OPF:SP1.2 

DS13.2 

Business 

9.1 

Organization's  Processes 
Subpractices 


ME2.1  lmPaCt 
Analysis 

ME2.2 


1.  Obtain  sponsorship  of  the 
process  appraisal  from 
higher-level  managers. 

2.  Define  the  scope  of  the 
process  appraisal. 


ME4.3 

ME4.4 

PO10.2 


3.  Determine  the  method 

and  criteria  to  be  used  for  PO10.13 

the  process  appraisal. 


4.  Plan,  schedule,  and 

prepare  for  the  appraisal 
process. 


5.  Conduct  the  process 
appraisal. 


6.  Document  the  appraisal's 
activities  and  deliver  the 
findings. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Flandbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OPF:SGl.SP3  Identify  the 

OPF:SP1.3 

OID:SPl.l 

All. 3 

9.1 

Organization's  Process 

OPF:SP1.3 

DS8.5 

Improvements 

DS13.2 

ME2.7 

Subpractices 

l.  Determine  candidate 

process  improvements. 

ME4.3 

2.  Prioritize  candidate 

process  improvements. 

ME4.4 

3.  Identify  and  document 

the  process 
improvements  to  be 
implemented. 

P010.13 

4.  Revise  the  list  of  planned 

process  improvements 
and  keep  it  current. 
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Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

OPFSG2  Plan  and 

Implement  Process  Actions 

OPF:SG2.SPl  Establish 

Process  Action  Plans 

OPF:SP2.1 

OPF:SP2.1 

DS8.5 

DS13.2 

9.4.2 

10.1 

Subpractices 

1.  Identify  strategies, 
approaches,  and  actions 
to  address  identified 
process  improvements. 

2.  Establish  process  action 
teams  to  implement 
actions. 

3.  Document  process  action 
plans. 

PO10.6 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Flandbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

OPF:SG2.SP2  Implement 

Process  Action  Plans 

OPF:SP2.2 

OID:SP1.3 

OPF:SP2.2 

DS8.5 

PO10.6 

Subpractices 


1.  Make  process  action 
plans  readily  available  to 
relevant  stakeholders. 

2.  Negotiate  and  document 
commitments  among 
process  action  teams  and 
revise  their  progress 
action  plans  as  necessary. 

3.  Track  progress  and 
commitments  against 
process  action  plans. 

4.  Conduct  joint  reviews 
with  process  action 
teams  and  relevant 
stakeholders  to  monitor 
the  progress  and  results 
of  process  actions. 

5.  Plan  pilots  needed  to  test 
selected  process 
improvements. 

6.  Review  the  activities  and 
work  products  of  process 
action  teams. 

7.  Identify,  document,  and 
track  to  closure  issues 
encountered  when 
implementing  process 
action  plans. 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

OPF:SG2.SP2  Implement 

Process  Action  Plans 

Subpractices  (continued) 

8.  Ensure  that  results  of 

implementing  process 
action  plans  satisfy  the 
organization's  process 
improvement  objectives. 
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Management  Model 


vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OPF:SG3  Deploy 
Organizational  Process 
Assets  and  Incorporate 
Experiences 


OPF:SP3.1  OPF:SP3.1  kisk  Moni¬ 

toring  and 
Testing 


Subpractices 

1.  Deploy  organizational 
process  assets  across  the 
organization. 

2.  Document  changes  to 
organizational  process 
assets. 

3.  Deploy  changes  that 
were  made  to 
organizational  process 
assets  across  the 
organization. 

4.  Provide  guidance  and 
consultation  on  the  use 
of  organizational  process 
assets. 


OPF:SG3.SPl  Deploy 
Organizational  Process 
Assets 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OPF:SP3.2  OID:SP2.1 
OPF:SP3.2 


1.  Identify  organizational 
units  in  the  organization 
that  are  starting  up  or 
recently  acquired. 

2.  Identify  existing 
organizational  units  that 
would  benefit  from 
implementing  the 
organization's  current  set 
of  standard  processes. 

3.  Establish  plans  to 
implement  the 
organization's  current  set 
of  standard  processes  in 
the  identified 
organizational  units. 

4.  Assist  organizational  units 

in  tailoring  the 
organization's  set  of 
standard  processes  to 
meet  their  needs. 

5.  Maintain  records  of 
tailoring  and 
implementing  processes 
for  the  identified 
organizational  units. 


OPF:SG3.SP2  Deploy 
Standard  Processes 

Subpractices 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OPF:SG3.SP2  Deploy 
Standard  Processes 

Subpractices  (continued) 

6.  Ensure  the  defined 
processes  resulting  from 
process  tailoring  are 
incorporated  into  plans 
for  process-compliance 
audits. 

7.  As  the  organization's  set 
of  standard  processes  is 
updated,  identify  which 
organizational  units 
should  implement  the 
changes. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

DS8.5  Risk  Mom-  8.1 

toring  and 
P04.3  Testing 

P010.13 


2.  Review  selected  process 
assets. 

3.  Review  results  of  process 
compliance  audits  to 
determine  how  well  the 
organization's  set  of 
standard  processes  has 
been  deployed. 

4.  Identify,  document,  and 
track  to  closure  issues 
related  to  implementing 
the  organization's  set  of 
standard  processes. 


OPF:SG3.SP3  Monitor  the 

Implementation 

Subpractices 

1.  Monitor  use  of  the 

organization's  process 
assets  (including  standard 
processes)  and  changes 
to  them. 


OPF:SP3.3  OID:SP2.2 
OPF:SP3.3 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Flandbook 

ISO/IEC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

OPF:SG3.SP4  Incorporate 

Experiences  into 

OPF:SP3.4 

OPF:SP3.4 

DS8.5 

Risk  Moni¬ 
toring  and 
Testing 

8.2 

Organizational  Process 


Assets 

Subpractices 

1.  Conduct  periodic  reviews 
of  effectiveness  and 
suitability  of  the 
organization's  set  of 
standard  processes  and 
related  organizational 
process  assets  relative  to 
the  organization's 
strategic  objectives. 

2.  Obtain  feedback  about 
the  use  of  organizational 
process  assets. 

3.  Derive  lessons  learned 
from  defining,  piloting, 
implementing,  and 
deploying  organizational 
process  assets. 

4.  Make  lessons  learned 
available  to  staff  as 
appropriate. 

5.  Analyze  measurement 
data  obtained  from  the 
use  of  the  organization's 
common  set  of  measures. 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

OPF:SG3.SP4  Incorporate 

Experiences  into 

Organizational  Process 

Assets 

Subpractices  (continued) 

6.  Appraise  processes, 
methods,  and  tools  in  use 
in  the  organization  and 
develop 

recommendations  for 
improving  organizational 
process  assets. 

7.  Make  the  best  of  the 
organization's  processes, 
methods,  and  tools 
available  to  staff  as 
appropriate. 

8.  Manage  process 
improvement  proposals. 

9.  Establish  and  maintain 
records  of  the 
organization's  process 
improvement  activities. 
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cert®  Resilience  Commercial  Standards  and  Practices 


Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009  2006  CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OTA  -  Organizational  Training  and  Awareness 


OTA-.SGl  Establish 
Awareness  Program 


0TA:SG1.SP1  Establish  10.2  P06.5  3.3.1  9.2 

Awareness  Needs  3  3  2 

Subpractices  3  3  3 

1.  Analyze  the 
organization's  resilience 
program  to  identify  the 
types  and  extent  of 
awareness  training  that 
are  necessary  to  satisfy 
resilience  program 
objectives. 

2.  Document  the  awareness 
training  needs  of  the 
organization  by  staff 
group. 

3.  Determine  the  resources 
necessary  to  meet  the 
awareness  needs. 

4.  Revise  the  awareness 
needs  of  the  organization 
as  changes  to  the 
resilience  program  and 
strategy  are  made. 
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Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

ISO/I  EC 

20000-2: 

ISO/IEC 

24762: 

ISO/IEC 

27002: 

ISO/IEC 

27005: 

ISO/IEC 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OTA:SGl.SP2  Establish 

5.5 

P03.3 

3.3.1 

9.2 

5.1.1 

Awareness  Plan 

10.2 

3.3.2 

6.1.2 

Subpractices 

l.  Establish  awareness 

training  plan  content. 

2.  Establish  commitments 

to  plan. 

3.  Determine  resources 
necessary  to  carry  out 
the  plan. 

4.  Revise  plan  and 
commitments  as 

necessary. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

0TA:SG1.SP3  Establish  10.2 

Awareness  Delivery 

Capability 

Subpractices 

1.  Select  the  appropriate 
approaches  to  satisfy 
specific  organizational 
awareness  needs  based 
on  staff  group. 

2.  Determine  whether  to 
develop  the  awareness 
materials  internally, 
acquire  them  externally, 
or  some  combination. 

3.  Develop  or  obtain 
awareness  materials. 

4.  Develop  or  obtain 
qualified  instructors  or 
facilitators  as  needed. 

5.  Deliver  internal 
communications  about 
planned  awareness 
activities. 

6.  Revise  the  awareness 
materials  and  supporting 
artifacts  as  necessary. 


P03.3 


3.3.1  5.9.4  6.1.7 

3.3.2  9.2.3 

3.3.3 
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Management  Model 


vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OTA:SG2  Conduct 
Awareness  Activities 


OTA:SG2.SPl  Perform 
Awareness  Activities 

Subpractices 

1.  Determine  the  mix  of 
awareness  activities. 

2.  Plan  and  schedule 
awareness  activities, 
including  regular 
awareness  presentations. 

3.  Perform  logistics  planning 
for  each  scheduled 
awareness  activity. 

4.  Assign  resources  to  each 
scheduled  awareness 
activity. 

5.  Perform  awareness 
activities  according  to  the 
schedule  and  the  plan. 

6.  Track  the  delivery  of 
awareness  activities 
against  the  plan  and 
schedule. 


6.6.6  5.6.2  6.1.7 

5.9.4  8.2.1 

5.9.5  8.2.2 

9.2  10.8.1 
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Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OTA:SG2.SP2  Establish 


Awareness  Records 

5.9.5 

Subpractices 

9.2.3 

1.  Keep  records  of  all 
awareness  activities 
conducted  throughout 
the  organization. 

2.  Make  awareness  activity 
records  available  to 
appropriate  people  or 
processes. 


OTA:SG2.SP3  Assess 
Awareness  Program 
Effectiveness 
Subpractices 

1.  Assess  staff  awareness 
level  based  on  the  staff 
member's  respective  job 
responsibilities  and  roles. 

2.  Provide  a  mechanism  for 
evaluating  the 
effectiveness  of  each 
awareness  activity  with 
respect  to  the  objectives 
for  that  activity. 

3.  Document  suggested 
improvements  to  the 
awareness  plan  and 
program  based  on  the 
evaluation  of  the 
effectiveness  of  the 
awareness  activities. 


7.2 

7.5 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/IEC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

OTASG3  Establish  Training 

Capability 

OTA:SG3.SPl  Establish 

Training  Needs 

Subpractices 

1.  Collect  information  about 

skills  gap,  cross-training, 
and  succession  planning 
by  reviewing  the  job 
responsibilities  of 

7.3 

10.3 

OT:SPl.l 

OT:SP1.2 

OT:SPl.l 

OT:SP1.2 

AI4.2 

AI4.3 

AI4.4 

AI7.1 

DS7.1 

Board  and 

Senior 
Manage¬ 
ment  Re¬ 
sponsibility 

Other 
Policies, 
Standards, 
and  Pro- 

5.9 

6.4.6 

6.10.6 

7.5.8 

6.11 

personnel  involved  in  cesses 

nci  o  i 

resilience  processes  as  J 

well  as  current 

performance  levels.  P07.4 

2.  Analyze  the 
organization's  resilience 
requirements,  goals,  and 
objectives  to  determine 
future  training  needs. 

3.  Determine  the  roles  and 
skills  necessary  to 
perform  the  standard 
processes  that  constitute 
the  resilience 
management  system. 

4.  Document  the  resilience 
training  needs  of  the 
organization. 

5.  Document  the  training 
necessary  to  perform  the 
roles  in  the  organization's 
set  of  standard 
operational  resilience 
management  processes. 
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Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

0TA:SG3.SP1  Establish 

Training  Needs 

Subpractices  (continued) 

6.  Revise  the  resilience 

training  needs  of  the 
organization  as 
necessary. 

OTA:SG3.SP2  Establish  5.5  OT:SP1.3  OT:SP1.3  DS7.1 

Training  Plan  ?  3  p07  4 

Subpractices  ^ 

1.  Establish  resilience 
training  plan  content. 

2.  Establish  commitments 
to  the  resilience  training 
plan. 

3.  Revise  plan  and 
commitments  as 
necessary. 


Other 
Policies, 
Standards, 
and  Pro¬ 
cesses 


5.9.2 

5.9.3 

5.9.4 

5.9.5 


6.1.2 


6.11.1 

6.11.2 
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Management  Model 


vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OTA:SG3.SP3  Establish 


10.3 


0T:SP1.4  0T:SP1.4  DS7.2 


5.9.1 


Training  Capability 

Subpractices 

1.  Select  the  appropriate 
approaches  to  satisfy 
specific  organizational 
training  need  and 
competencies. 

2.  Determine  whether  to 
develop  training 
materials  internally  or 
acquire  them  externally. 

3.  Develop  or  obtain 
training  materials. 

4.  Develop  or  obtain 
qualified  instructors. 

5.  Describe  the  training  in 
the  organization's 
training  curriculum. 

6.  Revise  the  training 
materials  and  supporting 
work  products  as 
necessary. 


P07.4 


5.9.2 

5.9.3 
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Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OTA:SG4  Conduct  Training 

OTA:SG4.SPl  Deliver 

7.3 

AI4.2 

5.9.1 

8.2.2 

Training 

10.3 

OT:SP2.1 

OT:SP2.1 

AI4.3 

5.9.2 

10.8.1 

Subpractices 

AI4.4 

5.9.3 

11.7.1 

l.  Select  the  staff  who  will 

receive  the  training 
necessary  to  perform 

AI7.1 

5.9.5 

11.7.2 

their  roles  effectively. 

DS7.2 

6.3.9 

2.  Schedule  the  training, 

including  any  resources, 

DS13.1 

6.4.6 

as  necessary  (e.g., 
facilities  and  instructors). 

6.10.6 

3.  Conduct  the  training. 

7.5.8 

4.  Track  the  delivery  of 


training  against  the  plan. 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OTA:SG4.SP2  Establish 


DS7.3 


5.9.5 


Training  Records 
Subpractices 

1.  Keep  records  of  all  staff 
(including  external 
entities),  indicating 
whether  or  not  they 
successfully  completed 
each  training  course  or 
other  approved  training 
activity. 

2.  Keep  records  of  all  staff 
who  have  been  waived 
from  specific  training. 

3.  Keep  records  of  all  staff 
who  successfully 
complete  their 
designated  required 
training. 

4.  Make  training  records 
available  to  the 
appropriate  people  or 
processes. 


OT:SP2.2  OT:SP2.2 


CMU/SEI-201 1-TN-012  |  172 
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Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

OTA:SG4.SP3  Assess 

Training  Effectiveness 

OT:SP2.3 

OT:SP2.3 

DS7.3 

5.9.6 

6.4.6 

7.1 

7.2 

Subpractices 

1.  Provide  a  mechanism  for 

assessing  the 
effectiveness  of  each 
training  course  with 
respect  to  established 
organizational,  project,  or 
individual  learning  (or 
performance)  objectives. 

2.  Collect  other  data  that 

can  be  used  to  evaluate 
training  effectiveness. 

3.  Document  suggested 

improvements  to  the 
training  plan  based  on 
the  evaluation  of  the 
effectiveness  of  training 
activities. 
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Management  Model 


vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009  2006  CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

PM  -  People  Management 


PM:SG1  Establish  Vital 
Staff 

PM:SG1.SP1  Identify  Vital  6.4  P04.13  Appendlx 

G:  BCP 

Staff  8  7  3  po7  5  Compo- 

nents 

Subpractices 

1.  Identify  vital  service- 
support  staff. 

2.  Identify  vital  resilience- 
focused  staff 

3.  Identify  vital  managers. 

4.  Identify  staff  who  have 
access  to,  control  of,  or 
protection  responsibility 
for  highly  valuable  or 
highly  sensitive 
organizational  assets. 

5.  Identify  other  vital  staff. 

6.  Reconcile  the  lists  of  vital 
staff  periodically  to 
service  continuity  plans 
and  other  resilience- 
focused  strategies. 

7.  Periodically  validate  and 
update  the  lists  of  vital 
staff  based  on  changes  in 
the  operational  and 
organizational 
environment. 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

PM:SG2  Manage  Risks 
Associated  with  Staff 

Availability 


PM:SG2.SP1  Identify  and  7.3  P07.5  Risk  Man-  6.4.16 

agement 

Assess  Staff  Risk  6  6  2 

Subpractices  6.10.7  5.6.1 

1.  Determine  the  scope  of 

risk  assessment  for  staff.  6.12.5.2  5.6.2 


5.2.7 

5.4.3 


2.  Identify  risks  to  the  6  13  5  5  6  3 

availability  of  staff. 

3.  Analyze  risks  to  the 
availability  of  staff. 

4.  Categorize  and  prioritize 
staff  risks. 

5.  Assign  a  risk  disposition 
to  each  staff  risk. 

6.  Monitor  the  risk  and  the 
risk  strategy  on  a  regular 
basis  to  ensure  that  it 
does  not  pose  additional 
threat  to  the 
organization. 

7.  Develop  a  strategy  for 
those  risks  that  the 
organization  decides  to 
mitigate. 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

PCI: 

2009 


PM:SG2.SP2  Mitigate  Staff  7.3 

Risk 

Subpractices 

1.  Develop  and  implement 
risk  mitigation  strategies 
for  all  risks  that  have  a 
"mitigation"  or  "control" 
disposition. 

2.  Validate  the  risk 
mitigation  plans  by 
comparing  them  to 
existing  strategies. 

3.  Identify  the  person  or 
group  responsible  for 
each  risk  mitigation  plan 
and  ensure  that  they 
have  the  authority  to  act 
and  the  proper  level  of 
skills  and  training  to 
implement  and  monitor 
the  plan. 

4.  Address  residual  risk. 

5.  Implement  the  risk 
mitigation  plans  and 
provide  a  method  to 
monitor  the  effectiveness 
of  these  plans. 

6.  Monitor  risk  status. 


P07.5 


Risk  Man¬ 
agement 


6.4.16 

6.10.7 

6.12.5.2 

6.13.5 


5.6.1 

5.6.2 

5.6.3 
5.7 


7.  Collect  performance 
measures  on  the  risk 
management  process. 
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Management  Model 

vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

PM:SG3  Manage  the 
Availability  of  Staff 


PM:SG3.SP1  Establish  7.3 

Redundancy  for  Vital  Staff 

Subpractices 

1.  Determine  which  vital 
staff  positions  must  have 
redundancy. 

2.  Identify  backup  staff  for 
vital  staff  positions. 

3.  Develop  strategic  plan  for 
providing  staff 
redundancy. 

4.  Provide  training  to 
redundant  staff  to 
perform  necessary  roles 
and  responsibilities. 


P04.12  6.3.1  6.3.9 

P04.13 

P07.5 
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Management  Model 
vl.l 


Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

PM:SG3.SP2  Perform 

7.3 

P04.13 

6.3.1 

6.3.9 

Succession  Planning 

P07.4 


Subpractices 

P07.5 

1.  Identify  key  positions  that 
need  to  be  included  in 
succession  planning. 

2.  Develop  strategies  for 
creating  a  succession 
chain. 

3.  Establish  detailed 
succession  plans  for  key 
personnel  positions. 

4.  Mentor  and  train 
successor  personnel  to 
perform  necessary 
functions. 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

PM:SG3.SP3  Prepare  for  7.3  DS4.8 

Redeployment 

Subpractices 

1.  Establish  plans  for  staff 
redeployment  during 
disruptive  events. 

2.  Notify  staff  of  the  plans 
for  their  redeployment 
during  disruptive  events. 

3.  Provide  appropriate 
training  for  staff  in 
advance  of 
redeployment. 

4.  Obtain  and  provide 
credentials  for  first 
responders. 

5.  Review  and  update  plans 
for  staff  redeployment 
during  disruptive  events 
as  needed. 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

PM:SG3.SP4  Plan  to  6.2.3 

Support  Staff  During 
Disruptive  Events 

Subpractices 

1.  Establish  a  strategy  for 
support  considerations 
during  disruptive  events. 

2.  Identify  areas  of  support 
that  the  organization 
must  provide. 

3.  Develop  plans  to  support 
staff  during  disruptive 
events. 

4.  Assign  resources  to  the 
plans  to  support  staff 
during  disruptive  events. 

5.  Review  and  update  the 
plans  to  support  staff 
during  disruptive  events 
as  needed. 


DS4.8  5.2 

5.5.5 

6.10.7 

6.13 

9.4.3 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

PM:SG3.SP5  Plan  for 

Return-to-Work 

Considerations 

Subpractices 

1.  Establish  a  strategy  for 
transitioning  staff  back  to 
the  workplace. 

2.  Identify  and  procure 
resources  that  will  be 
needed  to  ensure 
effective  transition. 

3.  Review  and  revise  the 
plans  to  address  return- 
to-work  considerations 
after  a  disruptive  event 
as  appropriate. 


5.2 

9.4.3 
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Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/IEC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

RISK  -  RISK  Management 

RISK:SG1  Prepare  for  Risk 

Management 

RISK:SG1.SP1  Determine 

Risk  Sources  and  Categories 

Subpractices 

1.  Determine  operational 
risk  sources. 

2.  Determine  operational 
risk  categories. 

3.  Create  an  operational  risk 
taxonomy. 

6.5 

RSKM:SP1.1 

RSKM:SP1.1 

ME4.5 

Risk  As¬ 
sessment 

Risk  Man¬ 
agement 

Appendix  F: 

Business 

impact 

analysis 

process 

6.6.5 

6.6.7 

9.5.1 

4.1 

8.2. 1.3 

5.3 

5.4.2 

CMU/SEI-201 1-TN-012  |  182 


CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 

ISO/IEC 

ISO/IEC  ISO/IEC  ISO/IEC  ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT  FFIEC  BCP 

20000-2: 

24762:  27002:  27005:  31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006  CMMI-Dev 

CMMI-Svc 

4.1  Elandbook 

2005  (E) 

2008  (E)  2005  (E)  2008  (E)  2009  (E) 

1600 

2009 

RISK:SG1.SP2  Establish  an 

4.3.1 

6.5  RSKM:SP1.3 

RSKM:SP1.3 

ME4.5  BCP  Pr0‘ 

4.1.4 

5.11  4.1  7.1  5.1 

5.4 

Operational  Risk 

cess 

6.6.3 

9.5.1  14.1.1  9.4  5.2 

Management  Strategy 

6.6.4 

9.5  5.3.1 

Subpractices 

Appendix  F: 

l.  Develop  and  document 

Business 

6.6.5 

10  5.3.2 

an  operational  risk 

impact 

management  strategy 

analysis 

5.3.3 

that  aligns  with  the 

process  t 

organization's  overall 

5.3.4 

enterprise  risk 

management  strategy. 

2.  Communicate  the 

operational  risk 

management  strategy  to 

relevant  stakeholders  and 

obtain  their  commitment 

to  the  activities. 

RISK:SG2  Establish  Risk 

Parameters  and  Focus 

RISK:SG2.SP1  Define  Risk 

6.2.3  RSKM:SP1.2 

RSKM:SP1.2 

ME4.5  Risk  As- 

6.2.7  4.1  7.2  5.3.5 

sessment 

Parameters 

6.5 

P09-2  Risk  Man- 

Subpractices 

agement 

1.  Define  risk  thresholds  for 

Appendix  F: 

each  risk  category. 

Business 

impact 

2.  Establish  risk 

analysis 

management 

process 

parameters. 
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Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RISK:SG2.SP2  Establish  Risk 

6.2.3 

ME4.5 

Risk  As- 

6.6.4 

6.2.7 

4.2 

7.2 

5.3.5 

5.3.2 

Measurement  Criteria 

6.5 

P09.2 

sessment 

7.3 

5.4.2 

Subpractices 

P09.5 

agement 

7.4 

5.4.3 

1.  Define  organizational 

impact  areas. 

Appendix  F: 

Business 

impact 

8.2.2. 1 

5.6.3 

2.  Prioritize  impact  areas  for 

analysis 

the  organization. 

process 

3.  Define  and  document  risk 
measurement  and 
evaluation  criteria. 


4.  Define  and  document  risk 
likelihood. 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 

ISO/I  EC  ISO/IEC  ISO/IEC  ISO/IEC  ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT  FFIEC  BCP  20000-2:  24762:  27002:  27005:  31000:  NFPA  PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev  CMMI-Svc 

4.1  Handbook  2005(E)  2008(E)  2005(E)  2008(E)  2009(E)  1600  2009 

RISK:SG3  Identify  Risk 

RISK:SG3.SP1  Identify 

4.2.1 

6.5 

RSKM:SP2.1  RSKM:SP2.1 

AH. 2  R'skAs-  6.6.4  5  4  4  1  gl  5.4.2  5.3.1 

Asset-Level  Risks 

P09'3  Risk  Man-  5.5.1  12.1.1  8.2.1.6  5.3.2 

Subpractices 

agement 

P09.4  6.2.7  14.1.1  5.4.3 

l.  Identify  the  tools. 

Appendix  F: 

techniques,  and  methods 

PO10.9  Business  14.1.2  5.6.3 

that  the  organization  can 

impact 

use  to  identify 

analysis 

operational  risks  to 

organizational  assets. 

2.  Identify  the  operational 

risks  (at  the  asset  level) 

that  can  negatively 

impact  high-value 

organizational  services. 

3.  Develop  risk  statements. 

4.  Identify  the  relevant 

stakeholders  associated 

with  each  documented 

risk. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RISK:SG3.SP2  Identify 

4.2.1 

6.5 

RSKM:SP2.1 

RSKM:SP2.1 

All. 2 

Risk  As- 

5.4 

4.1 

8.1 

5.4.2 

5.4.3 

P09.3 

sessment 

5.5.1 

12.1.1 

8.2. 1.6 

Service-Level  Risks 

Subpractices 

P09.4 

agement 

6.2.7 

14.1.1 

l.  Identify  the  services  that 

Appendix  F: 

are  associated  with  each 

PO10.9 

Business 

14.1.2 

asset-specific  risk 

impact 

statement.  Update  the 

analysis 

risk  statement  to  reflect 

associated  services. 

process 

2.  Determine  the  effect  on 

the  service  that  could 
result  from  the 
realization  of  risk  at  the 

asset  level. 

3.  Update  risk  statement 

information  to  reflect 
service-specific 
consequences  and  the 
severity  of  the 
consequences  due  to 
realized  risk. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Elandbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RISK:SG4  Analyze  Risk 

RISK:SG4.SP1  Evaluate  Risk 

4.2.1 

5.5 

RSKM:SP2.2 

RSKM:SP2.2 

All. 2 

Risk  As¬ 
sessment 

5.4 

4.1 

8.2.2. 2 

5.4.3 

5.3.1 

Subpractices 

4.3.1 

6.6 

P09.4 

Risk  Man- 

5.5.1 

8. 2. 2. 3 

5.4.3 

1.  Evaluate  the  identified 
risks  using  the  defined 
risk  parameters  and  risk 
measurement  criteria. 

2.  Assign  a  valuation  to  each 
risk  statement. 

PO10.9 

agement 

Appendix  F: 

Business 

impact 

analysis 

process 

6.2.7 

8. 2. 2. 4 

5.4.4 

5.6.3 

RISK:SG4.SP2  Categorize 

and  Prioritize  Risk 

4.3.1 

6.6 

RSKM:SP2.2 

RSKM:SP2.2 

All. 2 

P09.4 

Risk  As¬ 
sessment 

Appendix  F: 

Business 

impact 

analysis 

process 

4.2 

8.1 

8. 2. 2. 5 

5.4.4 

5.4.4 

Subpractices 

l.  Categorize  and  group 

risks  according  to  the 
defined  risk  categories  or 
other  classification. 

2.  Prioritize  risks  for 

disposition  and 
mitigation. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RISK:SG4.SP3  Assign  Risk 

Disposition 

6.6 

6.7 

RSKM:SP2.2 

RSKM:SP2.2 

P09.4 

P09.5 

Appendix  F: 

Business 

impact 

analysis 

process 

8.3.3 

8.3.4 

8.1 

9.3 

5.4.4 

Subpractices 

10 

l.  Assign  a  risk  disposition 

to  each  risk  statement 
based  on  risk  valuation 
and  prioritization. 

2.  Obtain  approval  for  the 

proposed  disposition  of 
each  risk,  particularly 
those  that  are  not  going 
to  be  mitigated. 

3.  Develop  a  strategy  to 

carry  out  the  proposed 
risk  disposition. 

4.  Monitor  the  risk  and  the 

risk  strategy  on  a  regular 
basis  to  ensure  that  it 
does  not  pose  additional 
threat  to  the 
organization. 

5.  Develop  a  strategy  for 

those  risks  that  the 
organization  decides  to 
mitigate. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 


vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RISK:SG5  Mitigate  and 
Control  Risk 


RISK:SG5.SP1  Develop  Risk 
Mitigation  Plans 

Subpractices 

1.  Develop  risk  mitigation 
plans  for  all  risks  that 
have  a  mitigation  or 
control  disposition. 

2.  Validate  the  risk 
mitigation  plans  by 
comparing  them  to 
existing  protection  and 
sustainability  strategies. 

3.  Identify  the  person  or 
group  responsible  for 
each  risk  mitigation  plan 
and  ensure  they  have  the 
authority  to  act  and  the 
proper  level  of  skills  and 
training  to  implement 
and  monitor  the  plan. 

4.  Address  residual  risk. 


6.6.4 

7.1 

7.2 


RSKM:SP3.1 


RSKM:SP3.1  P09.6 


Risk  Man¬ 
agement 


5.11 

4.2 

9.1 

5.5.1 

5.6.1 

6.2.10 

5.5.2 

5.6.2 

9.5.1 

5.7 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

ISO/IEC 

20000-2: 

ISO/IEC 

24762: 

ISO/IEC 

27002: 

ISO/IEC 

27005: 

ISO/IEC 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RISK:SG5.SP2  Implement 

Risk  Strategies 

6.6.4 

6.6.5 

RSKM:SP3.2 

RSKM:SP3.2 

P09.6 

PO10.9 

Risk  Man¬ 
agement 

5.11 

4.2 

9.1 

5.5.3 

Subpractices 

7.1 

1.  Monitor  risk  status. 

2.  Provide  a  method  for 
tracking  open  risks  to 
closure. 

7.2 

3.  Implement  the  risk 

mitigation  plans  and 
provide  a  method  to 
monitor  the  effectiveness 
of  these  plans. 

4.  Provide  continued 

commitment  of  resources 
for  each  plan  to  allow 
successful  execution  of 
the  risk  management 
activities. 

5.  Collect  performance 

measures  on  the  risk 
management  process. 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

RISK:SG6  Use  Risk 

Information  to  Manage 

Resilience 

RISK:SG6.SP1  Review  and  6.6 

Adjust  Strategies  to  Protect 

Assets  and  Services 

Subpractices 

1.  Compare  risk  mitigation 
plans  to  existing  control 
structures  for  affected 
assets  and  services. 

2.  Revise  existing  controls 
or  develop  and 
implement  additional 
controls  that  are 
necessary  to  mitigate 
risks. 


9.2  5.6  5.6.4 

10  5.7 

12 

Risk  Man¬ 
agement 

Risk  Moni¬ 
toring  and 
Testing 


P09.6 


o^-rr.u-  83g 

cess 


Risk 

Assessment 


8.3.9 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RISK:SG6.SP2  Review  and  6.6 

Adjust  Strategies  to  Sustain 

Services 

Subpractices 

1.  Compare  risk  mitigation 
plans  to  existing 
continuity  of  operations 
plans  for  affected  assets 
and  services. 

2.  Revise  existing  continuity 
of  operations  plans  or 
develop  and  implement 
additional  plans  that  are 
necessary  to  mitigate 
risks. 


9.2  5.6 

10  5.7 

12 

Risk  Man¬ 
agement 

Risk  Moni¬ 
toring  and 
Testing 


P09.6 


o^-rr.u-  83g 

cess 


Risk 

Assessment 


8.3.9 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009  2006  CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

CERT®  Resilience 
Management  Model 
vl.l 


Commercial  Standards  and  Practices 


RRD  -  Resilience  Requirements  Development 


RRD:SG1  Identify  Enterprise 
Requirements 


RRD:SG1.SP1  Establish 
Enterprise  Resilience 
Requirements 

Subpractices 

1.  Consult  legal,  statutory, 
regulatory,  and 
contractual  requirements 
that  an  organization  and 
all  of  its  external  entities 
are  required  to  satisfy. 

2.  Identify  business-specific 
constraints. 

3.  Identify  the  principles, 
objectives,  and  business 
requirements  for 
processing,  storing,  and 
transmitting  information 
that  an  organization  has 
developed  to  support  its 
operations. 

4.  Identify  organizational 
strategic  objectives, 
critical  success  factors, 
policies  or  other 
indicators  of  importance 
that  could  result  in 
enterprise  requirements. 


RD:SP1.1 

RD:SP1.2 

RD:SP2.3 


All.l 


4.1.2 


Other 
Policies, 

PO10.12  Standards'  4.1.4 
and  Pro¬ 
cesses 


5.1.1 

6.1.1 

12.1.1 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RRD:SG1.SP1  Establish 
Enterprise  Resilience 
Requirements 

Subpractices  (continued) 

5.  Develop  and 

communicate  a  list  of 
enterprise  requirements 
that  affect  all 
organizational  units  and 
lines  of  business. 
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cert®  Resilience  Commercial  Standards  and  Practices 


Management  Model 
vl.l 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RRD-.SG2  Develop  Service 

Requirements 

RRD:SG2.SP1  Establish 

RD:SP2.1 

DS4.8 

Other 

4.1.1 

5.3.3 

6.1.1 

Asset  Resilience 

Requirements 

Policies, 

Standards, 

4.1.2 

6.3.3 

7.1.3 

cesses 

4.1.4 

12.1.1 

Subpractices 


1.  Interview  asset  owners  to 
determine  specific  asset- 
level  requirements. 

2.  Perform  information 
security  risk  assessment 
and/or  business  impact 
analysis  to  identify  risks 
that  must  be  reflected  in 
asset  requirement. 

3.  Document 
confidentiality,  integrity, 
and  availability 
requirements  for  each 
service-related  asset. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RRD:SG2.SP2  Assign  RD:SP2.2  DS4.8 

Enterprise  Resilience 

Requirements  to  Services 

Subpractices 

1.  Identify  enterprise-level 
requirements  that  are 
applicable  to  each  service 
and  associated  asset. 

2.  Assign  enterprise-level 
requirements  to  services 
and  associated  assets. 

RRD:SG3  Analyze  and  Vali¬ 
date  Requirements 

RRD:SG3.SP1  Establish  a 

Definition  of  Required 

Functionality 

Subpractices 

1.  Document  the  asset 

functionality  description 
for  each  asset  that  is 
associated  with  one  or 
more  services. 


RD:SP3.1  BCP  Pro-  4.1.1 

cess 

RD:SP3.2  4.1.2 

4.1.4 


4.1.1 


Other 
Policies, 

Standards,  412 


and  Pro¬ 
cesses 


4.1.4 


6.1.1 

7.1.3 

12.1.1 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

ISO/I  EC 

20000-2: 

ISO/IEC 

24762: 

ISO/IEC 

27002: 

ISO/IEC 

27005: 

ISO/IEC 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RRD:SG3.SP2  Analyze 

RD:SP3.3 

4.1.4 

6.1.1 

Resilience  Requirements 

RD:SP3.4 

Subpractices 

l.  Analyze  asset 

requirements  against 
baseline  asset 
functionality  and  identify 
conflicts.  Make 
adjustments  to 
requirements  as 
necessary. 

2.  Develop  conflict 

mitigation  action  plans  to 
resolve  requirements 
deficiencies  and  conflicts 
that  result  from  analysis 
and  validation  activities. 

3.  Analyze  asset 

requirement  against 
enterprise  requirements 
that  have  been  assigned 
to  services.  Revise  asset 
requirements  to  reflect 
enterprise  requirements 
to  reflect  enterprise 
requirements  where 
necessary. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 

Process  Area  Specific  iso/iec  iso/iec  iso/iec  iso/iec  iso/iec 

Goals  and  Specific  ANSI/ASIS  BS25999-1:  COBIT  FFIEC  BCP  20000-2:  24762:  27002:  27005:  31000:  NFPA  PCI: 

Practices  SPC.l-2009  2006  CMMI-Dev  CMMI-Svc  4.1  Handbook  2005(E)  2008(E)  2005(E)  2008(E)  2009(E)  1600  2009 

RRD:SG3.SP3  Validate  RD:SP3.5  4.1.4  6.1.1 

Resilience  Requirements 

Subpractices 

1.  Perform  affinity  analysis 
between  strategic  drivers 
(such  as  critical  success 
factors)  and  asset 
requirements. 

2.  Critically  analyze 
requirements  to  ensure 
that  they  adequately 
specify  what  is  needed  to 
protect  and  sustain  an 
asset  relative  to  its 
association  with  a 
service. 

3.  Identify  requirement 
gaps. 

4.  Revise  requirements  as 
necessary. 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009  2006  CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

CERT®  Resilience 
Management  Model 
vl.l 


Commercial  Standards  and  Practices 


RRM  -  Resilience  Requirements  Management 


RRM:SG1  Manage 
Requirements 


RRM:SG1.SP1  Obtain  an 
Understanding  of  Resilience 
Requirements 

Subpractices 

1.  Establish  objective 
criteria  for  the  evaluation 
and  acceptance  of 
requirements. 

2.  Analyze  requirements  to 
ensure  that  the 
established  evaluation 
and  acceptance  criteria 
are  met. 

3.  Reach  an  understanding 
(between  owners  and 
custodians)  on  the 
requirements  so  that 
custodians  can  commit  to 
them. 


7.1 


REQM:SP1.1  REQM:SP1.1  PO10.12 


4.1.1 

4.1.2 
4.1.4 


6.1.1 

7.1.3 

12.1.1 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

ISO/I  EC 

20000-2: 

ISO/IEC 

24762: 

ISO/IEC 

27002: 

ISO/IEC 

27005: 

ISO/IEC 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RRM:SG1.SP2  Obtain 

REQM:SP1.2 

REQM:SP1.2 

4.1.1 

7.1.3 

Commitment  to  Resilience 

Requirements 

4.1.2 

4.1.4 

12.1.1 

Subpractices 

l.  Document  and 

communicate 
requirements  through 
service-level  agreements 
between  asset  owners 
and  custodians. 

2.  Document  the 

custodian's 
understanding  of 
requirements  and  obtain 
sign-off. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RRM:SG1.SP3  Manage 
Resilience  Requirements 
Changes 
Subpractices 

1.  Establish  a  requirements 
baseline  from  which 
changes  will  be  managed. 

2.  Develop  and  document 
criteria  for  establishing 
when  a  change  in 
requirements  must  be 
considered. 

3.  Analyze  results  of 
information  security  risk 
assessment  and/or 
business  impact  analysis 
to  identify  changes  to 
requirements  that  are 
related  to  risk  mitigation. 

4.  Document  the 
requirements  changes. 

5.  Maintain  a  requirement 
change  history  with 
rationale  for  performing 
the  changes. 

6.  Evaluate  the  impact  of 
requirement  changes  on 
existing  protection  and 
sustainability  activities 
and  commitments. 

7.  Establish  communications 
channels  to  ensure 
custodians  are  aware  of 
changes  in  requirements. 


REQM:SP1.3  REQM:SP1.3  4.1.2 

4.1.3 

4.1.4 
9.1.1 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 

Process  Area  Specific  iso/iec  iso/iec  iso/iec  iso/iec  iso/iec 

Goals  and  Specific  ANSI/ASIS  BS25999-1:  COBIT  FFIEC  BCP  20000-2:  24762:  27002:  27005:  31000:  NFPA  PCI: 

Practices  SPC.l-2009  2006  CMMI-Dev  CMMI-Svc  4.1  Handbook  2005(E)  2008(E)  2005(E)  2008(E)  2009(E)  1600  2009 

RRM:SG1.SP4  Maintain  REQM:SP1.4  REQM:SP1.4  9.1.1 

Traceability  of  Resilience 

Requirements 

Subpractices 

1.  Document  requirements 
and  their  source  or  origin 
as  part  of  asset  profile  or 
documentation. 

2.  Maintain  requirements 
traceability. 

3.  Generate  a  requirements 
traceability  matrix. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RRM:SG1.SP5  Identify 
Inconsistencies  Between 
Resilience  Requirements 
and  Activities  Performed  to 
Meet  the  Requirements 

Subpractices 

1.  Review  the  planned  or 
implemented  activities 
for  consistency  with 
requirements. 

2.  Document  custodial 
constraints  that  may 
impede  satisfaction  of 
requirements  and  update 
requirements  as 
necessary. 

3.  Identify  changes  that 
have  to  be  made  in 
activities  (or  planned 
activities)  to  ensure 
satisfaction  of 
requirements  as 
specified. 

4.  Initiate  corrective  actions 
to  enforce  alignment 
between  requirements 
and  activities. 


REQM:SP1.5  REQM:SP1.5 


4.1.2 

4.1.4 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

RTSE  -  Resilient  Technical  Solution  Management 

RTSE:SG1  Establish 

Guidelines  for  Resilient 

Technical  Solution 

Development 

RTSE:SG1.SP1  Identify 

General  Guidelines 

Subpractices 

l.  Identify  general 

guidelines  for  the 
development  of  resilient 
software  and  systems. 

TS:SP1.1 

AI2.1 

P08.1 

10.3.1 

12.2 

12.3 

RTSE:SG1.SP2  Identify 

Requirements  Guidelines 

Subpractices 

l.  Identify  requirements 

guidelines  for  the 
development  of  resilient 
software  and  systems. 

TS:SP1.2 

All.l 

P08.1 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

RTSE:SG1.SP3  Identify 

TS:SP2.1 

AI2.1 

10.3.1 

Architecture  and  Design 

TS:SP2.2 

AI2.2 

12.2 

Guidelines 

P08.3 

12.3 

Subpractices 

l.  Identify  requirements 

guidelines  for  the 
development  of  resilient 
software  and  systems. 

RTSE:SG1.SP4  Identify 

TS:SP2.3 

All.l 

12.2 

Implementation  Guidelines 

AI2.2 

12.3 

Subpractices 

P08.3 

1.  Identify  coding  guidelines 

for  the  development  of 
resilient  software. 

2.  Identify  testing  guidelines 

for  the  development  of 
resilient  software. 

3.  Identify  testing  guidelines 

for  the  development  of 
resilient  systems. 

CMU/SEI-201 1-TN-012  |  205 


CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

RTSE:SG1.SP5  Identify 

Assembly  and  Integration 

Guidelines 

Subpractices 

1.  Identify  coding  guidelines 

for  the  development  of 
resilient  software. 

AI2.2 

P08.3 

10.3.2 

12.4.1 

RTSE.SG2  Develop  Resilient 

Technical  Solution 

Development  Plans 

RTSE:SG2.SP1  Select  and 

Tailor  Guidelines 

Subpractices 

1.  Identify  selection  criteria 
for  resilience  guidelines. 

2.  Select  and  tailor 
guidelines  for  specific 
software  or  system  asset. 

TS:SP2.4 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT  FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000:  NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev  CMMI-Svc 

4.1  Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E)  1600 

2009 

RTSE:SG2.SP2  Integrate 

TS:SP2.4 

AI2.7 

Selected  Guidelines  with  a 
Defined  Software  and 
System  Development  Pro¬ 
cess 

Subpractices 

1.  Update  process 
definitions. 

2.  Update  development 
plan. 


RTSE:SG3  Execute  the  Plan 

RTSE:SG3.SP1  Monitor 

Execution  of  the  Develop¬ 
ment  Plan 

Subpractices 

1.  Monitor  project 
performance  against  the 
development  plan  to 
ensure  that  resilience 
requirements  are 
satisfied. 

2.  Update  development 
project  plans,  resilience 
guidelines,  and  process 
definitions  as 
appropriate. 


TS:SP3.1 


AI2.8 

P08.5 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

RTSE:SG3.SP2  Release 

Resilient  Technical 

Solutions  into  Production 

TS:SP3.1 

TS:SP3.2 

AI7.8 

Subpractices 

1.  Establish  inspection 
criteria. 

2.  Inspect  software  and 
systems  to  ensure  they 
have  satisfied  inspection 
criteria. 

3.  Approve  assets  for 
release. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific  ansi/asis 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices  spc.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

SC  -  Service  Continuity 

SC:SG1  Prepare  for  Service 

Continuity 

SC:SG1.SP1  Plan  for  Service  4.3.3 

4. 1,2,3, 4 

DS4.1 

BCP  Pro- 

6.3.1 

5.1 

14.1.1 

4.1 

cess 

Continuity  447 

5. 1,2,3 

6.3.3 

5.3.3, 4 

14.1.4 

4.2 

Subpractices 

7.1-7.10 

Senior 

Manage- 

5.4 

4.3 

1.  Establish  the  plan  for 

ment  Re- 

managing  service 

8.6 

sponsibility 

5.5.2 

4.4 

continuity. 

8.7 

Other 

5.8.1 

5.1.1 

2.  Establish  commitments 

Policies, 

to  the  plan. 

9.5.3 

Standards, 

5.11 

5.2 

3.  Revise  the  plan  and 

and  Pro- 

commitments  as 

cesses 

6.1 

6.7 

necessary. 

Appendix 

D:  Pandem- 

6.4.15 

ic  Planning 

9.4. 1,2 

Appendix 

G:  BCP 
Compo¬ 
nents 

9.5.2 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

SC:SG1.SP2  Establish 

4.4.3 

4.1 

DS4.1 

BCP  Pro- 

6.3.3 

5.5.2 

14.1.4 

4.4 

Standards  and  Guidelines 

4.5.4 

4.2, 

cess 

5.8.1 

5.1.1 

5.2 

Board  and 

for  Service  Continuity 

4.3 

Senior 

Manage- 

5.8.4 

6.7 

Subpractices 

ment  Re- 

1.  Develop  and 

4.4 

sponsibility 

5.8.5 

communicate  service 

5.1 

Business 

5.11 

continuity  management 

guidelines  and  standards. 

5.2 

Analysis 

6.1 

5.3 

Risk  Man¬ 
agement 

6.3.14 

5.5 

Other 

6.4.15 

Policies, 
Standards, 
and  Pro- 

9.4.2 

cesses 

9.5.2 

Appendix 

G:  BCP 
Compo¬ 
nents 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

SC:SG2  Identify  and 
Prioritize  High-Value 
Services 


SC:SG2.SP1  Identify  the 

Organization's  High-Value 

Services 

Subpractices 

1.  Identify  the 
organization's  high-value 
services,  associated 
assets,  and  activities. 

2.  Analyze  and  document 
the  relative  value  of 
providing  these  services 
and  the  resulting  impact 
on  the  organization  if 
these  services  are 
interrupted. 

3.  Prioritize  and  document 
the  list  of  high-value 
services  that  must  be 
provided  if  a  disruption 
occurs. 


4.4 

6.2.1 

6.3 


SCON:SPl.l  DS4.2  BCP  Pro-  6.3.4  53.1  14.1.2 

cess 

DS43  Business  9-5-1 

Impact 
Analysis 

Appendix 
E:  Interde¬ 
pendencies 

Appendix 
G:  BCP 
Compo¬ 
nents 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

SC:SG2.SP2  Identify 

Internal  and  External 

Dependencies  and 

4.5 

6.1.2 

SCON:SP1.2 

BCP  Pro¬ 
cess 

Business 

6.3.4 

5.5.1 

5.5.2 

5.2.4 

Interdependencies 

6.2.2 

Analysis 

Subpractices 

l.  Identify  and  document 

internal  infrastructure 
dependencies  that  the 
organization  relies  upon 
to  provide  services. 

Risk  Man¬ 
agement 

Appendix 

G:  BCP 
Compo¬ 
nents 

2.  Identify  and  document 

external  entities  that  the 
organization  relies  upon 
to  provide  services. 

3.  Develop  a  key  contact  list 

for  organizational 
services  that  can  be 
included  as  part  of  the 
service  continuity  plans. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

SC:SG2.SP3  Identify  Vital 
Organizational  Records  and 
Databases 

Subpractices 

1.  Identify  and  document 
vital  records  and 
databases. 

2.  Identify  and  document 
vital  staff  and  their 
specific  roles  in  relation 
to  the  services  being 
provided. 

3.  Ensure  that  vital  records 
and  databases  are 
protected,  accessible, 
and  usable  in  the  event  of 
a  disruption  or 
interruption. 


6.2 

6.3 

6.4 

6.5 

6.6 
7.6 
8.7.5 


SCONiSPl.l 


BCP  Pro- 


6.3.4 


5.3.1 

5.8.4 


10.5.1 

10.8.5 

15.1.3 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 

ISO/I  EC  ISO/IEC  ISO/IEC  ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT  FFIEC  BCP  20000-2:  24762:  27002:  27005: 

31000: 

NFPA  PCI: 

Practices 

SPC.1-2009  2006 

CMMI-Dev 

CMMI-Svc 

4.1  Handbook  2005(E)  2008(E)  2005(E)  2008(E) 

2009  (E) 

1600  2009 

SC:SG3  Develop  Service 

Continuity  Plans 

SC:SG3.SP1  Identify  Plans 

4.3 

SCON:SP2.1 

DS4.2  Board  and  633  g.4.2  14.1.3 

5.2 

Senior 

to  Be  Developed 

5.4.2 

DS4.3  Manage-  9.5.2  14.1.4 

6.4.2 

ment  Re- 

Subpractices 

5.5 

sponsibility 

6.7.2 

1.  Identify  service  continuity 

Appendix 

plans  to  be  developed. 

7.2 

D:  Pandem- 

6.9.3 

ic  Planning 

8.7.2 

6.9.5 

Appendix 

G:  BCP 

Compo- 

nents 

SC:SG3.SP2  Develop  and 

4.4.4  4.2 

SCON:SP2.1 

DS4.2  Board  and  6.3.3  5.3.4  14.1.3 

5.2 

Senior 

Document  Service 

4.4.6  5.5 

DS4.3  Manage-  6.3.4  5.8.4  14.1.4 

6.7.2 

Continuity  Plans 

7.2 

sponsibility  5  8  5 

6.9.3 

Subpractices 

Risk  Man- 

l.  Document  the  service 

agement  5.12 

6.9.5 

continuity  plans  using 

Appendix  9  4  2 

available  templates  as 

G:  BCP 

appropriate. 

Compo-  9.5.2 

2.  Document  the  key 

nents 

elements  of  the  specific 

plan. 

3.  Identify  the  stakeholders 

of  specific  service 

continuity  plans. 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

SC:SG3.SP3  Assign  Staff  to 

Service  Continuity  Plans 

5.2 

6.4 

DS4.3 

Board  and 

Senior 
Manage¬ 
ment  Re¬ 
sponsibility 

6.3.4 

5.8.4 

5.2.2 

5.2.3 

Subpractices 

8.3.3 

5.2.4 

l.  Identify  staff 

requirements  to  satisfy 
the  objectives  of  the 
service  continuity  plans. 

8.7.3 

8.7.4 

Other 
Policies, 
Standards, 
and  Pro- 

5.2.5 

2.  Identify  staff,  both 
internal  and  external,  to 
satisfy  the  resource 
requirements. 

3.  Assign  staff  to  the  service 
continuity  plans. 

cesses 

Appendix 

G:  BCP 
Compo¬ 
nents 

SC:SG3.SP4  Store  and 

Secure  Service  Continuity 

Plans 

4.4.5 

4.5.4 

8.3.1 

DS4.7 

Risk  Man¬ 
agement 

6.3.4 

5.12 

14.1.3 

Subpractices 

l.  Establish  a  service 

continuity  plan  inventory 
or  database. 

2.  Store  and  protect  the 

service  continuity  plans  in 
the  plan  inventory  or 
database. 

3.  Establish  access  controls 

to  ensure  that  service 
continuity  plans  can  only 
be  accessible  to 

authorized  individuals. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

SC:SG3.SP5  Develop 
Service  Continuity  Plan 
Training 

Subpractices 

1.  Identify  any  specialized 
training  needs  based  on 
skill  gaps  for  the  activities 
as  described  in  the  plan. 

2.  Develop  a  strategy  for 
conducting  service 
continuity  plan  training. 

3.  Develop  training 
materials  and  resources 
to  conduct  plan  training 
on  a  regular  and  ongoing 
basis. 

4.  Train  resources  as 
necessary  to  fulfill  their 
responsibilities  in  the 
plan. 

5.  Update  service  continuity 
plans,  if  necessary,  as  a 
result  of  feedback  from 
training. 


5.3.1 

10.2 

10.3 


SCON:SP2.2  DS4.6 
SCON:SP2.3  DS4.7 


Board  and 
Senior 
Manage¬ 
ment  Re¬ 
sponsibility 


5.9.2 


14.1.5 


6.11.1 
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cert®  Resilience  Commercial  Standards  and  Practices 


Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

SC:SG4  Validate  Service 
Continuity  Plans 


SC:SG4.SP1  Validate  Plans  4.3 

to  Requirements  and  5  ^ 

Standards 

Subpractices 

1.  Review  plans  for 
consistency  in  achieving 
stated  resilience 
requirements  for 
associated  services  and 
assets. 

2.  Review  plans  for 
adherence  to  service 
continuity  plan 
development  standards 
and  guidelines. 

3.  Identify  plan  omissions, 
gaps,  and  issues  and 
develop  appropriate  plan 
updates  and  remediation 
actions. 


SCON:SP3.1 

DS3.4 

Board  and 

Senior 

SCON:SP3.2 

DS4.4 

Manage¬ 
ment  Re¬ 

SCON:SP3.3 

sponsibility 

Risk  Man¬ 

agement 
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CERT®  Resilience 

Management  Model 

vl.l 

Commercial  Standards  and  Practices 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC  ISO/IEC  ISO/IEC 

Goals  and  Specific  ansi/asis  BS25999-1: 

COBIT  FFIEC  BCP  20000-2: 

24762: 

27002:  27005:  31000:  NFPA 

PCI: 

Practices  spc.1-2009  2006 

CMMI-Dev  CMMI-Svc 

4.1  Handbook  2005(E) 

2008  (E) 

2005  (E)  2008  (E)  2009  (E)  1600 

2009 

SC:SG4.SP2  Identify  and  5.4.1 

DS4  5  Board  and 

Senior 

Resolve  Plan  Conflicts 

Manage- 

ment  Re- 

Subpractices 

sponsibility 

l.  Review  plans  to 

Risk  Man- 

determine  plan  conflicts. 

agement 

2.  Determine  the  severity  of 

plan  conflicts  and 

develop  appropriate 

mitigation  actions  to 

reduce  or  eliminate  the 

conflict. 

3.  Rewrite  or  revise  plans  as 

necessary. 

SC.SG5  Exercise  Service 

Continuity  Plans 

SC:SG5.SP1  Develop  4.5.2.2  9.1 

DS4.5  Board  and  6  3  4 

5.9.3 

4.6  7.1 

Senior 

Testing  Program  and 

Manage- 

5.10 

14.1.5 

Standards 

9.3 

sponsibility 

Subpractices 

Risk  Man- 

l.  Develop  testing  program 

agement 

and  test  standards  to 

Risk  Moni- 

apply  universally  across 

toring  and 

all  testing  of  service 

Testing 

continuity  plans. 

Appendix 

ongoing  testing  and 

H:  Testing 

review  of  plans. 

Program  - 

Govern- 

ance  and 

Attributes 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

SC:SG5.SP2  Develop  and 

5.4.1 

SCON:SP2.1 

AI7.2 

Board  and 

Senior 

6.3.4 

5.9.3 

10.5.1 

7.2 

Document  Test  Plans 

5.5 

DS4.5 

Manage¬ 
ment  Re- 

5.10 

14.1.5 

7.3 

Subpractices 

9.2 

sponsibility 

6.15.4 

7.4 

l.  Develop  and  document 

Risk  Man- 

service  continuity  plan 

agement 

7.5 

tests. 

Risk  Moni- 

2.  Review  service  continuity 

toring  and 

test  plans  with 
stakeholders. 

Testing 

Appendix 

H:  Testing 
Program  - 
Govern¬ 
ance  and 

Attributes 

SC:SG5.SP3  Exercise  Plans 

5.4.1 

SCON:SP2.1 

DS4.5 

Board  and 

Senior 

6.3.4 

5.9.3 

14.1.5 

7.4 

Subpractices 

Manage¬ 
ment  Re- 

5.10 

l.  Prepare  to  conduct 

sponsibility 

6.15.4 

service  continuity  plan 

tests. 

Risk  Moni¬ 
toring  and 

2.  Execute  the  service 

Testing 

continuity  plan  test. 

Appendix 

3.  Document  and  record  the 

H:  Testing 

results  in  accordance 
with  the  organization's 
testing  standards. 

Program  - 

ance  and 

Attributes 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 


vl.l 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

SC:SG5.SP4  Evaluate  Plan 

Test  Results 

4.5.3 

5.4.1 

9.3.2 

SCON:SP3.3 

DS4.5 

Board  and 

Senior 
Manage¬ 
ment  Re¬ 
sponsibility 

6.3.4 

5.10 

6.15.4 

14.1.5 

7.5 

Subpractices 

1.  Compare  actual  test 
results  with  expected  test 
results  and  test 
objectives. 

2.  Document  areas  of 
improvement  for  service 
continuity  plans. 

3.  Document  areas  of 
improvement  for  testing 
service  continuity  plans 

Risk  As- 

sessment 

Risk  Man¬ 
agement 

Risk  Moni¬ 
toring  and 
Testing 

Appendix 

H:  Testing 
Program  - 
Govern¬ 
ance  and 
Attributes 

SC.SG6  Execute  Service 


Continuity  Plans 


SC:SG6.SP1  Execute  Plans  8.3.4 

Subpractices 

1.  Determine  the  conditions 
under  which  a  service 
continuity  plan  must  be 
executed. 

2.  Execute  plans  as 
required. 


Risk  As¬ 
sessment 

Risk  Man¬ 
agement 

Risk  Moni¬ 
toring  and 
Testing 

Appendix 
A:  Exami¬ 
nation 
Procedures 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 


vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

Goals  and  Specific  ansi/asis 

BS25999-1: 

COBIT  FFIEC  BCP 

20000-2: 

24762: 

Practices  spc.1-2009 

2006 

CMMI-Dev 

CMMI-Svc  4.1  Handbook 

2005  (E) 

2008  (E) 

ISO/IEC 

ISO/IEC 

ISO/IEC 

27002: 

27005: 

31000: 

NFPA 

PCI: 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

SC:SG6.SP2  Measure  the  4.5.3  9.4 


SCON:SP3.3 


DS4.10 


Risk  As¬ 
sessment 


9.1 


8.1 


Effectiveness  of  the  Plans 
in  Operation 


Risk  Man¬ 
agement 


Subpractices 

1.  Compare  documented 
plan  results  with  plan 
objectives  and 
expectations. 

2.  Document  areas  of 
improvement  for  service 
continuity  plans. 


Risk  Moni¬ 
toring  and 
Testing 

Appendix 
A:  Exami¬ 
nation 
Procedures 


3.  Document  areas  of 

improvement  for  testing 
service  continuity  plans. 


SC:SG7  Maintain  Service 
Continuity  Plans 


SC:SG7.SP1  Establish  9.5  DS4.4 

Change  Criteria 

Subpractices 

1.  Develop  and  document 
criteria  for  establishing 
when  changes  to  a 
service  continuity  plan 
should  be  considered. 


Board  and  6.3.4  5.10  14.1.5  8.1.3 

Senior 

Manage-  91 

ment  Re¬ 
sponsibility 

BCP  Pro¬ 
cess 

Risk  Man¬ 
agement 
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CERT®  Resilience 

Commercial  Standards  and  Practices 

Management  Model 

vl.l 

Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

SC:SG7.SP2  Maintain 

Changes  to  Plans 

5.4.1 

5.4.2 

DS4.4 

Board  and 

Senior 
Manage¬ 
ment  Re¬ 
sponsibility 

14.1.5 

8.2 

Subpractices 

8.3.5 

l.  Identify  and  document 

changes  to  the  service 
continuity  plans  based  on 
defined  criteria  and 
conditions. 

9.4 

9.5 

BCP  Pro¬ 
cess 

Risk  Man¬ 
agement 

2.  Increment  versions  of  the 

service  continuity  plan  in 
the  plan 

inventory/database. 

3.  Communicate  the 

updated  plan  to 
appropriate  stakeholders 
as  required. 
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cert®  Resilience  Commercial  Standards  and  Practices 


Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009  2006  CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

TM  -Technology  Management 


TM:SG1  Establish  and 
Prioritize  Technology  Assets 


TM:SG1.SP1  Prioritize  6.4 

Technology  Assets 

Subpractices 

1.  Compile  a  list  of  high- 
value  technology  assets 
from  the  organization's 
technology  asset 
inventory. 

2.  Prioritize  technology 
assets. 

3.  Periodically  validate  and 
update  the  list  of  high- 
value  technology  assets 
based  on  operational  and 
organizational 
environment  changes. 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Flandbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

TM:SG1.SP2  Establish 

6.4 

DS4.8 

9.1.2 

5.3.1, 2 

12.1.1 

Resilience-Focused 

Technology  Assets 

8.7.3 

P03.4 

6.6.4 

6.7.1, 6 

6.8.1 

6.11.2 

6.12.2.4 

Subpractices 

1.  Compile  a  list  of 

resilience-focused 
technology  assets  from 
the  organization's  asset 
inventory. 

2.  Periodically  reconcile  the 

list  of  resilience-focused 
technology  assts  to  the 
organization's  service 
continuity  plans  and 
resilience  strategies. 

6.12.2.5 

6.12.3.4 

6.12.5.3.4 

6.12.5.5.6 

6.12.6 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

TMSG2  Protect  Technology 

Assets 

TM:SG2.SP1  Assign 

AI2.4 

6.1.2 

5.3.3 

10.8.5 

Resilience  Requirements  to 

AI7.3 

6.6.1, 4 

12.4.2 

Technology  Assets 

AI7.4 

6.7.1 

12.4.3 

Subpractices 

6.8.4 

DS4.8 

12.5.1 

1.  Assign  resilience 

requirements  to 
technology  assets. 

DS5.7 

6. 8. 5. 4, 5 

6.8.6 

12.5.2 

2.  Document  the 

P03.4 

12.5.4 

requirements  (if  they  are 
currently  not 
documented)  and  include 
in  the  asset  definition. 

6.9.1, 2 

6.10.6 

6.12.2.4.5 

6.12.3.4 

6.12.5.3.4 

6.12.5.5.6 

6.12.6 

7.6.6, 8 
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CERT®  Resilience 
Management  Model 
vl.l 


Commercial  Standards  and  Practices 


Process  Area  Specific 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Flandbook 

2005  (E) 

2008  (E) 

2005  (E) 

TM:SG2.SP2  Establish  and 

AI2.3 

6.3.3 

9.2 

Implement  Controls 

AI2.4 

6.3.5, 6,7 

10.1.2 

Subpractices 

AI2.5 

6.6.2, 4 

10.6.1,2 

1.  Establish  and  implement 

administrative  controls 

AI3.2 

6.7.1 

10.7.2 

for  technology  assets. 

AI7.3 

6.8.4 

10.8 

2.  Establish  and  implement 

technical  controls  for 

AI7.4 

6. 8. 5.4 

10.9.1,3 

technology  assets. 

3.  Establish  and  implement 

DS5.7 

6. 8. 5. 5 

10.10.2,3 

physical  controls  for 
technology  assets. 

6.8.6 

10.10.6 

4.  Establish  and  specify 

11.3.2,3 

controls  over  the  design, 
construction,  or 
acquisition  of  technology 
assets. 

6.9. 1,2 

6.10.6 

6.12.2.4,5 

11.4 

11.5.1.3.4 

5.  Monitor  the  effectiveness 

of  administrative, 
technical,  and  physical 
controls,  and  identify 
deficiencies  that  must  be 

6.12.3,4 

6.12.5.3 

11.5.5,6 

11.6.2 

resolved. 

6.12.5.4 

11.7.1,2 

6.12.5.5 

12.2.2,3,4 

6.12.5.6 

12.4.1,2,3 

6.12.6 

12.5.1,2,4 

7.6.8 

15.1.3,4,5 

15.3.2 

ISO/IEC 
27005: 
2008  (E) 


ISO/IEC 

31000:  NFPA 

2009  (E)  1600 


PCI: 

2009 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

TM:SG3  Manage 

Technology  Asset  Risk 

P09.1  Risk  Man-  6i7.4  10.10.2  5.4.3 

agement 

P09.4  6.9.3  11.7.1  5.6.1 

11.7.2  5.6.2 

Subpractices 

15.1.3  5.6.3 

1.  Determine  the  scope  of 

risk  assessment  for 
technology  assets. 

2.  Identify  risks  to 
technology  assets. 

3.  Analyze  risks  to 
technology  assets. 

4.  Categorize  and  prioritize 
risks  to  technology 
assets. 

5.  Assign  a  risk  disposition 
to  each  technology  asset 
risk. 

6.  Monitor  the  risk  and  the 
risk  strategy  on  a  regular 
basis  to  ensure  that  it 
does  not  pose  additional 
threat  to  the 
organization. 

7.  Develop  a  strategy  for 
those  risks  that  the 
organization  decides  to 
mitigate. 


TM:SG3.SP1  Identify  and 
Assess  Technology  Asset 
Risk 
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cert®  Resilience  Commercial  Standards  and  Practices 

Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

P09.4  Risk  Man-  6.7.4  11.7.1  5.6.1 

agement 

P09.5  11.7.2  5.6.2 

Subpractices  15  1  3  5  6  3 

1.  Develop  and  implement 

risk  mitigation  strategies  5.7 

for  all  risks  that  have  a 
"mitigation"  or  "control" 
disposition. 

2.  Validate  the  risk 
mitigation  plans  by 
comparing  them  to 
existing  protection  and 
sustainability  strategies. 

3.  Identify  the  person  or 
group  responsible  for 
each  risk  mitigation  plan 
and  ensure  that  they 
have  the  authority  to  act 
and  the  proper  level  of 
skills  and  training  to 
implement  and  monitor 
the  plan. 

4.  Address  residual  risk. 

5.  Implement  the  risk 
mitigation  plans  and 
provide  a  method  to 
monitor  the  effectiveness 
of  these  plans. 

6.  Monitor  risk  status. 

7.  Collect  performance 
measures  on  the  risk 
management  process. 


TM:SG3.SP2  Mitigate 
Technology  Risk 
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cert®  Resilience  Commercial  Standards  and  Practices 


Management  Model 
vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

TM:SG4  Manage 
Technology  Asset  Integrity 


TM:SG4.SP1  Control  Access 
to  Technology  Assets 

Subpractices 

1.  Establish  access 
management  policies  and 
procedures  for 
requesting  and  approving 
access  privileges  to 
technology  assets. 

2.  Establish  organizationally 
acceptable  tools, 
techniques,  and  methods 
for  controlling  access  to 
technology  assets. 

3.  Identify  and  document 
staff  who  are  authorized 
to  modify  technology 
assets  relative  to  the 
asset's  resilience 
requirements. 

4.  Implement  tools, 
techniques,  and  methods 
to  monitor  and  log 
modification  activity  on 
high-value  technology 
assets. 

5.  Perform  periodic  audits 
of  technology  asset 
modification  logs,  and 
identify  and  address 
anomalies. 


CM:SP1.2  6.1.2  6.12.2.2  10.1.2 

10.1.4 

10.9.3 

10.10.3 
11.5.4 

12.4.1 

12.4.2 

12.4.3 
12.5 

15.1.3 

15.3.1 

15.3.2 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

TM:SG4.SP2  Perform 

CM:SP1.2 

CM:SP1.2 

AI2.6 

6.1.2 

10.1.2 

Configuration  Management 

CM:SP1.3 

CM:SP1.3 

DS9.1 

9.1.1 

10.9.3 

Subpractices 

CM:SP2.1 

CM:SP2.1 

DS9.2 

9.1.3 

11.5.4 

1.  Establish  requirements 

for  technology  standards, 

CM:SP2.2 

CM:SP2.2 

DS9.3 

9.1.4 

12.4.1 

guidelines,  and  policies 
for  configuration 
management. 

CM:SP3.1 

CM:SP3.1 

9.1.5 

12.5.1 

2.  Establish  a  configuration 

CM:SP3.2 

CM:SP3.2 

10.1.7 

15.1.3 

management  database  or 
system. 

3.  Identify  the  technology 
assets  (configuration 
items)  in  detail  that  will 
be  placed  under 
configuration 
management. 

4.  Create  baseline 
configuration  items. 

5.  Track  and  control 
changes  to  configuration 
items. 

6.  Review  configuration 
control  logs  and  identify 
anomalies. 

7.  Perform  configuration 
audits. 
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vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

TM:SG4.SP3  Perform 

CM:SP1.2 

CM:SP1.2 

AI6.1 

6.1.2 

10.1.2 

Change  Control  and 

CM:SP1.3 

CM:SP1.3 

AI6.2 

9.1.1 

10.9.1 

Management 

CM:SP2.1 

CM:SP2.1 

AI6.3 

9.1.3 

10.9.3 

Subpractices 

CM:SP2.2 

CM:SP2.2 

AI6.4 

9.1.4 

12.4.1 

l.  Develop  and  implement 

change  control  policies. 

CM:SP3.1 

CM:SP3.1 

AI6.5 

9.2.1 

12.5.1 

procedures,  and 
techniques. 

CM:SP3.2 

CM:SP3.2 

AI7.6 

9.2.2 

12.5.2 

2.  Initiate  and  record 

change  requests  in  the 
change  control  database 

AI7.9 

9.2.3 

15.1.3 

or  system. 

9.2.4 

3.  Analyze  the  impact  of 

10.1.4 

changes  proposed  in  the 
change  requests. 

10.1.5 

4.  Obtain  agreement  and 

approval  for  changes  to 
baselines  from  relevant 

10.1.6 

stakeholders. 

10.1.7 

5.  Track  the  status  of 

change  requests  to 

10.1.8 

closure. 

10.1.9 

6.  Control  configuration 

items. 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

TM:SG4.SP4  Perform 

CM:SP1.2 

CM:SP1.2 

AI7.7 

6.1.2 

10.1.2 

Release  Management 

CM:SP1.3 

CM:SP1.3 

AI7.8 

9.1.1 

10.3.2 

Subpractices 

CM:SP2.1 

CM:SP2.1 

9.1.4 

10.9.3 

1.  Develop  and  implement 

guidelines  for  the 

CM:SP2.2 

CM:SP2.2 

10.1.1 

12.4.1 

appropriate  planning  and 
release  of  technology 
assets. 

CM:SP3.1 

CM:SP3.1 

10.1.2 

12.5 

2.  Plan  technology  asset 

CM:SP3.2 

CM:SP3.2 

10.1.3 

releases. 

SAM:SP2.5 

SAM:SP2.5 

10.1.4 

3.  Develop  release  "builds." 

4.  Test  release  "builds." 

10.1.5 

5.  Move  release  "builds" 

10.1.6 

into  the  organization's 
production  environment. 

10.1.7 

10.1.8 

10.1.9 
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vl.l 


Process  Area  Specific 
Goals  and  Specific 

Practices 

ANSI/ASIS 

SPC.1-2009 

BS25999-1: 

2006 

CMMI-Dev 

CMMI-Svc 

COBIT 

4.1 

FFIEC  BCP 

Handbook 

ISO/I  EC 

20000-2: 

2005  (E) 

ISO/IEC 

24762: 

2008  (E) 

ISO/IEC 

27002: 

2005  (E) 

ISO/IEC 

27005: 

2008  (E) 

ISO/IEC 

31000: 

2009  (E) 

NFPA 

1600 

PCI: 

2009 

TM:SG5  Manage  Technolo¬ 
gy  Asset  Availability 

TM:SG5.SP1  Perform 


7.5 


CAM:SP1.1 


6.1.2  5.5.3  15.1.3 


Planning  to  Sustain 
Technology  Assets 

Subpractices 

1.  Develop  an  approach  for 
sustaining  technology 
assets. 

2.  Establish  availability 

metrics  for  key 
technology  assets. 

3.  Establish  recovery  time 

objectives  for  high-value 
technology  assets. 

4.  Establish  recovery  point 

objectives  for  high-value 
technology  assets. 

5.  Develop  service 

continuity  plans  that 
address  technology 
availability. 


6.7.3 

6.7.4 
6.8.3 

6.8.5. 1 

6.8.5. 2 

6. 8. 5. 3 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

TM:SG5.SP2  Manage 
Technology  Asset 
Maintenance 

Subpractices 

1.  Identify  technology 
systems  that  require 
regular  maintenance 
activities. 

2.  Document  equipment 
supplier's  recommended 
service  intervals  and 
specifications. 

3.  Document  a  list  of 
maintenance  personnel 
authorized  to  carry  out 
repairs  and  service. 

4.  Document  all  suspected 
or  actual  faults  and  all 
preventative,  corrective, 
or  other  types  of 
maintenance. 

5.  Implement  maintenance 
and  test  maintenance 
changes  in  a  non- 
operational  environment 
when  appropriate. 

6.  Establish  appropriate 
controls  over  sensitive  or 
confidential  information 
when  maintenance  is 
performed. 


CAM:SP1.1  AI3.3 
AI2.10 
DS13.5 


6.1.2  7.6.4 


9.2.4 

10.8.1 

10.8.2 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

TM:SG5.SP2  Manage 

Technology  Asset 

Maintenance 

Subpractices  (continued) 

7.  Communicate 
maintenance  change 
notification  to 
appropriate  parties. 
[CMMI-SVC] 

8.  Implement  maintenance 
according  to  change 
request  procedures. 

9.  Document  and 
communicate  results  of 
maintenance. 
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vl.l 

Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

TM:SG5.SP3  Manage 

CAM:SP1.1 

DS3.1 

6.1.2 

6.7.5 

10.3.1 

Technology  Capacity 

CAM:SP2.3 

DS3.2 

6.5 

6.8.1 

Subpractices 

DS3.3 

6.8.3 

l.  Identify  technology 

assets  that  require 
capacity  management 
and  planning. 

DS3.4 

DS3.5 

6.8.5. 1 

6.8.5. 2 

2.  Document  technology 

asset  use,  performance, 
capacity,  and  availability 
needs. 

6. 8. 5. 3 

6.10.1 

3.  Forecast  technology  asset 

use,  performance, 
capacity,  and  availability 
needs. 

6.14.8 

4.  Develop  a  strategy  to 

meet  the  demand  for 
capacity  based  on  the 
resilience  requirements 
for  the  technology  asset 
and  the  services  it 
supports. 

5.  Periodically  validate  and 

update  the  capacity 
management  strategy  for 
technology  assets  based 
on  operational  and 
organizational 
environment  changes. 
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cert®  Resilience  Commercial  Standards  and  Practices 
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vl.l 

Process  Area  Specific  iso/iec  iso/iec  iso/iec  iso/iec  iso/iec 

Goals  and  Specific  ANSI/ASIS  BS25999-1:  COBIT  FFIEC  BCP  20000-2:  24762:  27002:  27005:  31000:  NFPA  PCI: 

Practices  SPC.l-2009  2006  CMMI-Dev  CMMI-Svc  4.1  Handbook  2005(E)  2008(E)  2005(E)  2008(E)  2009(E)  1600  2009 

TM:SG5.SP4  Manage  AI3.4  10.3.2 

Technology  Interoperability 

Subpractices 

1.  Establish  interoperability 
standards. 

2.  Develop  interoperability 
management  strategy. 

3.  Identify  and  analyze  risks 
related  to  interoperability 
of  technology  assets. 

4.  Monitor  the 
interoperability  strategy 
on  a  regular  basis  to 
ensure  that  it  does  not 
pose  additional  risks  to 
the  organization. 
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vl.l 


Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS  BS25999-1: 

COBIT 

FFIEC  BCP  20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009  2006 

CMMI-Dev  CMMI-Svc 

4.1 

Handbook  2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

VAR  -  Vulnerability  Analysis  and  Resolution 


VAR: SGI  Prepare  for 

Vulnerability  Analysis  and 

Resolution 

VAR:SG1.SP1  Establish 

Scope 

Subpractices 

1.  Identify  the  assets  that 
are  the  focus  of 
vulnerability  analysis  and 
resolution  activities. 

2.  Identify  the  operational 
environments  where 
vulnerabilities  may  exist 
for  each  asset. 

3.  Define  the  scope  of 
vulnerability  analysis  and 
resolution  activities. 


Appendix  5.2  12.6.1  5.4.2. 

C:  Internal 

and  exter-  2 

nal  threats 

5.6.3 

Appendix  F: 

Business 

impact 

analysis 

process 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

VAR:SG1.SP2  Establish  a 
Vulnerability  Analysis  and 
Resolution  Strategy 

Subpractices 

1.  Develop  and  document 
an  operational 
vulnerability  analysis  and 
resolution  strategy. 

2.  Communicate  the 
operational  vulnerability 
analysis  to  relevant 
stakeholders  and  obtain 
their  commitment  to  the 
activities  described  in  the 
strategy. 

3.  Assign  resources  to 
specific  vulnerability 
analysis  and  resolution 
roles  and  responsibilities. 

4.  Identify  the  tools, 
techniques,  and  methods 
that  the  organization  will 
use  to  identify 
vulnerabilities  to  assets. 


Appendix 
C:  Internal 
and  exter¬ 
nal  threats 


10.4.1 

10.4.2 


Appendix  F: 

Business 

impact 

analysis 

process 


5.6.3 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC. 1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

VAR-.SG2  Identify  and  Ana¬ 
lyze  Vulnerabilities 


VAR:SG2.SP1  Identify 

Sources  of  Vulnerability 

Information 

Subpractices 

1.  Identify  sources  of 
relevant  vulnerability 
information. 

2.  Review  sources  on  a 
regular  basis  and  update 
as  necessary. 


Appendix  F: 

Business 

impact 

analysis 

process 


10.8.5 

12.5.2 


5.6.3 


VAR:SG2.SP2  Discover 
Vulnerabilities 

Subpractices 

1.  Discover  vulnerabilities. 

2.  Provide  training  to  staff 
to  perform  data 
collection  and  discover 
vulnerabilities. 

3.  Populate  the  vulnerability 
repository. 

4.  Provide  access  to  the 
vulnerability  repository  to 
appropriate  process 
stakeholders. 


DS5.5  8.3.1 

DS5.9 

P09.1 


6.1.2 

12.5.2 

12.6.1 

15.2.2 


8.2.1.5 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

VAR:SG2.SP3  Analyze 
Vulnerabilities 

Subpractices 

1.  Develop  prioritization 
guidelines  for 
vulnerabilities. 

2.  Analyze  the  structure  and 
action  of  the 
vulnerability. 

3.  Prioritize  and  categorize 
vulnerabilities  for 
disposition. 

4.  Update  the  vulnerability 
repository  with  analysis 
and  prioritization/ 
categorization 
information. 


Appendix  F: 

Business 

impact 

analysis 

process 


8.3.1 

8.3.10 


10.8.5 

12.6.1 

13.1.2 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

VAR:SG3  Manage  Exposure 
to  Vulnerabilities 


VAR:SG3.SP1  Manage 
Exposure  to  Vulnerabilities 

Subpractices 

1.  Develop  a  vulnerability 
management  strategy  for 
all  vulnerabilities  that 
require  resolution. 

2.  Ensure  that  relevant 
stakeholders  are 
informed  of  resolution 
activities. 

3.  Update  the  vulnerability 
repository  with 
information  on  the 
vulnerability 
management  strategy. 

4.  Monitor  the  status  of 
open  vulnerabilities. 

5.  Analyze  the  effectiveness 
of  vulnerability 
management  strategies 
to  ensure  that  objectives 
are  achieved. 


DS5.9  8.3.3 

8.3.8 

8.3.9 

8.3.10 


9.1.6 
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Process  Area  Specific 

ISO/I  EC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

ISO/IEC 

Goals  and  Specific 

ANSI/ASIS 

BS25999-1: 

COBIT 

FFIEC  BCP 

20000-2: 

24762: 

27002: 

27005: 

31000: 

NFPA 

PCI: 

Practices 

SPC.1-2009 

2006 

CMMI-Dev 

CMMI-Svc 

4.1 

Handbook 

2005  (E) 

2008  (E) 

2005  (E) 

2008  (E) 

2009  (E) 

1600 

2009 

VAR:SG4  Identify  Root 

Causes 

VAR:SG4.SP1  Perform  8.3.1 

Root-Cause  Analysis 

Subpractices 

1.  Identify  and  select  root 
cause  tools,  techniques, 
and  methods  appropriate 
for  use  in  analyzing  the 
underlying  causes  of 
vulnerabilities. 

2.  Identify  and  analyze  the 
root  causes  of 
vulnerabilities. 

3.  Develop  and  implement 
strategies  to  address  root 
causes. 

4.  Monitor  the  effects  of 
implementing  strategies 
to  address  root  causes. 
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